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(Original Signature of Member) 


116th CONGRESS 
1st Session 


H.R. 


To provide for individual rights relating to privacy of personal information, 
to establish privacy and security requirements for covered entities relating 
to personal information, and to establish an agency to be known as 
the United States Digital Privacy Agency to enforce such rights and 
requirements, and for other purposes. 


IN THE HOUSE OF REPRESENTATIVES 


Ms. ESHOO introduced the following bill; which was referred to the Committee 
on 


A BILL 

To provide for individual rights relating to privacy of per¬ 
sonal information, to establish privacy and security re¬ 
quirements for covered entities relating to personal infor¬ 
mation, and to establish an agency to be known as the 
United States Digital Privacy Agency to enforce such 
rights and requirements, and for other purposes. 

1 Be it enacted by the Senate and House of Representa- 

2 tives of the United States of America in Congress assembled, 
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1 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. 

2 (a) Short Title. —This Act may be cited as the 

3 ‘ ‘ Online Privacy Act of 2 019 ”. 

4 (b) Tab le of Contents.—T he table of contents for 

5 this Act is as follows: 

Sec. 1. Short title; table of contents. 

Sec. 2. Definitions. 

Sec. 3. Prohibition on waivers. 

Sec. 4. Effective date. 

Sec. 5. Journalism protection. 

Sec. 6. Small business compliance ramp. 

Sec. 7. Criminal prohibition on disclosing personal information. 

Sec. 8. Limitation on disclosing nonredacted government records. 

TITLE I—INDIVIDUAL RIGHTS 

Sec. 101. Right of access. 

Sec. 102. Right of correction. 

Sec. 103. Right of deletion. 

Sec. 104. Right of portability. 

Sec. 105. Right to human review of automated decisions. 

Sec. 106. Right to individual autonomy. 

Sec. 107. Right to be informed. 

Sec. 108. Right to impermanence. 

Sec. 109. Exemptions, exceptions, fees, timelines, and rules of construction for 
rights under this title. 

TITLE II—requirements for covered entities, service 

PROVIDERS, AND THIRD PARTIES 

Sec. 201. Minimization and articulated basis for collection, processing, and 
maintenance. 

Sec. 202. Minimization and records of access by employees and contractors. 

Sec. 203. Prohibition on the collection or maintenance of personal information. 
Sec. 204. Prohibitions on the disclosure of personal information. 

Sec. 205. Disclosure to entities not subject to united states jurisdiction or not 
compliant with this act. 

Sec. 206. Prohibition on reidentification. 

Sec. 207. Restrictions on collection, processing and disclosure of contents of 
communications. 

Sec. 208. Prohibition on discriminatory processing. 

Sec. 209. Restrictions on genetic information. 

Sec. 210. Requirements for notice and consent processes and privacy policies. 
Sec. 211. Prohibition on deceptive notice and consent processes and privacy 
policies. 

Sec. 212. Notice and consent required. 

Sec. 213. Privacy policy. 

Sec. 214. Information security requirements. 

Sec. 215. Notification of data breach or data sharing abuse. 

TITLE III—UNITED STATES DIGITAL PRIVACY AGENCY 
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Sec. 301. Establishment. 

Sec. 302. Executive and administrative powers. 

Sec. 303. Rulemaking authority. 

Sec. 304. Personnel. 

Sec. 305. Complaints of individuals. 

Sec. 306. User advisory board. 

Sec. 307. Academic and research advisory board. 

Sec. 308. Small business and investor advisory board. 

Sec. 309. Consultation. 

Sec. 310. Reports. 

Sec. 311. Grants for developing open-source machine learning training data. 

Sec. 312. Annual audits. 

Sec. 313. Inspector General. 

Sec. 314. Authorization of appropriations. 

TITLE IV—ENFORCEMENT 

Sec. 401. Definitions. 

Sec. 402. Investigations and administrative discovery'. 

Sec. 403. Hearings and adjudication proceedings. 

Sec. 404. Litigation authority. 

Sec. 405. Coordination with other Federal agencies. 

Sec. 406. Enforcement by States. 

Sec. 407. Private rights of action. 

Sec. 408. Relief available. 

Sec. 409. Referral for criminal proceedings. 

Sec. 410. Whistleblower enforcement. 

TITLE V—RELATION TO OTHER LAW 

Sec. 501. Relation to other Federal law. 

Sec. 502. Severability. 

1 SEC. 2. DEFINITIONS. 

2 In this Act: 

3 (1) Agency.—T he term “Agency” means the 

4 United States Digital Privacy Agency established by 

5 section 301. 

6 (2) Behavioral personalization.— 

7 (A) In general. —The term “behavioral 

8 personalization” means the processing of an in- 

9 dividual’s personal information, using an algo- 

10 rithm, model, or other means built using that 

11 individual’s personal information collected over 
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a period of time, or an aggregate of the per¬ 
sonal information of one or more similarly situ¬ 
ated individuals and designed to— 

(i) alter, influence, guide, or predict 
an individual’s behavior; 

(ii) tailor or personalize a product or 
service; or 

(iii) filter, sort, limit, promote, display 
or otherwise differentiate between specific 
content or categories of content that would 
otherwise be accessible to the individual. 

(B) Exclusions. —The term “behavioral 

personalization” does not include the use of his¬ 
torical personal information to merely prevent 
the display of or provide additional information 
about previously accessed content. 

(3) Collect. —The term “collect” includes, 
with respect to personal information or contents of 
communication, obtaining such information in any 
manner, except when solely transmitting, routing, 
providing intermediate storage for, or providing con¬ 
nections for personal information through a system 
or network. 

(4) Contents. —The term “contents”, when 
used with respect to communication, has the mean- 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16VESHOO\ESHOO_038.XML 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


5 

ing given sucli term in section 2510 of title 18, 
United States Code. 

(5) Covered entity.— 

(A) In gene ral .— The term “covered en¬ 
tity” means a person who— 

(i) intentionally collects, processes, or 
maintains personal information; and 

(ii) sends or receives such personal in¬ 
formation over the internet or a similar 
communications network. 

(B) Exclusion. —The term “covered enti¬ 
ty” does not include a natural person, except to 
the extent such person is engaged in a commer¬ 
cial activity that is more than de minimis. 

(6) Data breach.— The term “data breach” 
means unauthorized access to or acquisition of per¬ 
sonal information or contents of communications 
maintained by such covered entity. 

(7) Data sharing abuse.— The term “data 
sharing abuse” means processing, by a third party, 
of personal information or contents of communica¬ 
tions disclosed by a covered entity to the third party, 
for any purpose other than— 
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(A) a purpose specified by the covered en¬ 
tity to the third party at the time of disclosure; 
or 

(B) a purpose to which the individual to 
whom the information relates has consented. 

(8) De-identified.— 

(A) In general.— The term “cle-identi- 
fiecl” means information that cannot reasonably 
identify, relate to, describe, reference, be capa¬ 
ble of being associated with, or be linked, di¬ 
rectly or indirectly, to a particular individual or 
device, provided that a business that uses cle- 
identified information— 

(i) has de-identified the personal in¬ 
formation using best practices for the 
types of data the information contains; 

(ii) has implemented technical safe¬ 
guards that prohibit re-identification of the 
individual with whom the information was 
linked; 

(iii) has implemented business proc¬ 
esses that specifically prohibit re-identifica- 
tion of the information; 
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(iv) lias implemented business proc¬ 
esses to prevent inadvertent release of de- 
identified information; and 

(v) makes no attempt to re-identify 
the information. 

(B) The Director may determine that a 
methodology of de-identifying personal informa¬ 
tion is insufficient for the purposes of this defi¬ 
nition. 

(9) Director. —The term “Director” means 
the Director of the Agency. 

(10) Disclose.— The term “disclose” means, 
with respect to personal information or contents of 
communication, to sell, release, transfer, share, dis¬ 
seminate, make available, or otherwise cause to be 
communicated such information to a third party. 

(11) Individu al . —The term “individual” 
means a natural person residing in the United 
States. 

(12) Maintain. —The term “maintain” means, 
with respect to personal information or contents of 
communication, to store, secure, or otherwise cause 
the retaining of such information, or taking actions 
necessary for such purposes. 

(13) Personal information.— 
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(A) In general. —The term “personal in¬ 
formation” means any information maintained 
by a covered entity that is linked or reasonably 
linkable to a specific individual or a specific de¬ 
vice, including de-identified personal informa¬ 
tion and the means to behavioral personaliza¬ 
tion created for or linked to a specific indi¬ 
vidual. 

(B) Exclusions.— The term “personal in¬ 
formation” does not include— 

(i) publicly available information re¬ 
lated to an individual; or 

(ii) information derived or inferred 
from personal information, if the derived 
or inferred information is not linked or 
reasonably linkable to a specific individual. 

(14) Privacy harm. —The term “privacy 
harm” means adverse consequences or potential ad¬ 
verse consequences to an individual or society arising 
from the collection, processing, maintenance, or dis¬ 
closure of personal information, including— 

(A) direct or indirect financial loss or eco¬ 
nomic harm; 

(B) physical harm; 
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(C) psychological harm, including anxiety, 
embarrassment, fear, and other demonstrable 
mental trauma; 

(D) adverse outcomes or decisions with re¬ 
spect to the eligibility of an individual for 
rights, benefits, or privileges in employment (in¬ 
cluding hiring, firing, promotion, demotion, and 
compensation), credit and insurance (including 
denial of an application or obtaining less favor¬ 
able terms), housing, education, professional 
certification, or the provision of health care and 
related services; 

(E) stigmatization or reputational harm; 

(F) price discrimination; 

(G) other adverse consequences that affect 
the private life of an individual, including pri¬ 
vate family matters and actions and commu¬ 
nications within the home of such individual or 
a similar physical, online, or digital location 
where such individual has a reasonable expecta¬ 
tion that personal information will not be col¬ 
lected, processed, or retained; 

(H) chilling of free expression or action of 
an individual, group of individuals, or society 
generally, due to perceived or actual pervasive 
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and excessive collection, processing, disclosure, 
or maintenance of personal information by a 
covered entity; 

(I) impairing the autonomy of an indi¬ 
vidual, group of individuals, or society gen¬ 
erally; and 

(J) other adverse consequences or potential 
adverse consequences, consistent with the provi¬ 
sions of this Act, as determined by the Direc¬ 
tor. 

(15) Privacy preserving computing.— 

(A) In general.— The term “privacy pre¬ 
serving computing” means— 

(i) the collecting, processing, dis¬ 
closing, or maintaining of personal infor¬ 
mation that has been encrypted or other¬ 
wise rendered unintelligible using a means 
that cannot be reversed by a covered enti¬ 
ty, or a covered entity’s service provider, 
such that— 

(I) if such personal information 
could be rendered intelligible through 
cooperation or sharing of cryp¬ 
tographic secrets by multiple persons, 
the covered entity has both technical 
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safeguards and business processes to 
prevent such cooperation or sharing; 

(II) if such personal information 
is rendered intelligible within a hard¬ 
ware processing unit or other means 
of performing operations on the infor¬ 
mation, there are technical safeguards 
that, during the normal course of op¬ 
eration— 

(aa) prevent rendering per¬ 
sonal information intelligible any¬ 
where but within the hardware 
processing unit or other means of 
performing operations; and 

(bb) make the exporting or 
otherwise observing of such intel¬ 
ligible information, or the cryp¬ 
tographic secret used to protect 
such information, impossible; and 

(III) if the result of such proc¬ 
essing of the personal information is 
also personal information, such result 
must be unintelligible to the covered 
entity or service provider and pro- 
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tectecl by privacy preserving com¬ 
puting. 

(B) Insufficient methodologies. —The 
Director may determine that a methodology of 
privacy preserving computing is insufficient for 
the purposes of this definition. 

(16) Process. —The term “process” means to 
perform or cause to be performed any operation or 
set of operations on personal information or contents 
of communication, whether or not by automated 
means. 

(17) Protected class. —The term “protected 
class” means the actual or perceived race, color, eth¬ 
nicity, national origin, religion, sex (including sexual 
orientation and gender identity), familial status, or 
disability of an individual or group of individuals. 

(18) Publicly av aila ble information.— 
The term “publicly available information” means— 

(A) information that is lawfully made 
available from Federal, State, or local govern¬ 
ment records; 

(B) information about a public individual 
or official that is made publicly accessible, with¬ 
out restrictions on accessibility other than the 
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general authorization to access the sendees used 
to make the information accessible; 

(C) information made publicly accessible 
by the individual to whom it pertains, without 
restrictions on accessibility other than the gen¬ 
eral authorization to access the services used to 
make the information accessible, and that such 
individual has the ability to delete or change 
without relying on a request under section 102 
or 103 of this Act; and 

(D) does not include— 

(i) biometric information collected by 
a covered entity relating to an individual 
without the individual’s knowledge; 

(ii) information used for a purpose 
that is not compatible with the purpose for 
which the information is maintained and 
made available in government records; 

(iii) information obtained from gov¬ 
ernment records for the purpose of selling 
such information; or 

(iv) information used to contact or lo¬ 
cate a private individual either physically 
or electronically. 
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(19) Reasonable mechanism.— The term 
“reasonable mechanism” means, in the case of a 
mechanism for individuals to exercise a right under 
title I or interact with a covered entity under title 
II, that such mechanism— 

(A) is equivalent in availability and ease of 
use to that of other mechanisms for commu¬ 
nicating or interacting with the covered entity; 
and 

(B) includes an online means of exercising 
such right or engaging in such interaction, if 
such individuals communicate or interact with 
such covered entity through an online medium 
or if such covered entity provides information 
processing services through a public or widely 
available application programming interface (or 
similar mechanism). 

(20) Sell and sale.— 

(A) In general.— The terms “sell” and 
“sale” means the disclosure of personal infor¬ 
mation for monetary consideration by a covered 
entity to a third party for the purposes of proc¬ 
essing, maintaining or disclosing such personal 
information at the third party’s discretion. 
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(B) Exclusions.— Tlie terms “sell” and 
“sale” do not include— 

(i) the disclosure of personal data to 
a third party with which the individual has 
a direct relationship for purposes of pro¬ 
viding a product or service requested by 
the individual or otherwise in a manner 
that is consistent with an individual’s rea¬ 
sonable expectations considering the con¬ 
text in which the individual provided the 
personal information to the covered entity; 

(ii) the disclosure or transfer of per¬ 
sonal information to a subsidiary or an af¬ 
filiate of the covered entity; or 

(iii) the disclosure or transfer of per¬ 
sonal information to a third party as an 
asset that is part of a merger, acquisition, 
bankruptcy, or other transaction in which 
the third party assumes control of all or 
part of the covered entity’s assets, unless 
such assets are limited to personal infor¬ 
mation unless personal information makes 
up the majority of the value of such assets. 

(21) Service provider.— 
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(A) In general.— Tlie term “service pro¬ 
vider” means a covered entity who— 

(i) processes, discloses, or maintains 
personal information, where such person 
does not process, disclose, or maintain the 
personal information other than in accord¬ 
ance with the directions and on behalf of 
another covered entity; 

(ii) does not directly collect personal 
information from or control the mechanism 
for collecting personal information from an 
individual; 

(iii) does not earn revenue from proc¬ 
essing, maintaining, or disclosing personal 
information disclosed to the service pro¬ 
vider by a covered entity except by pro¬ 
viding contracted services to another cov¬ 
ered entity; 

(iv) does not disclose personal infor¬ 
mation to another covered entity unless it 
was provided by that covered entity or re¬ 
sulted from maintaining or processing per¬ 
formed on personal information exclusively 
provide by that covered entity; 
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(v) does not offer services that allow 
another covered entity to target specific in¬ 
dividuals using personal information not 
provided by that covered entity; 

(vi) assists a covered entity on behalf 
of which it processes personal information 
to comply with title I, with respect to per¬ 
sonal information processed or maintained 
by the service provider on behalf of the 
covered entity, including providing tools for 
snch covered entities requirements under 
title I if requested; and 

(vii) does not link the personal infor¬ 
mation provided by another covered entity 
to personal information from any other 
source. 

(B) Any such person, and the personal in¬ 
formation they disclose, process, or maintain, 
shall be treated as a service provider under this 
Act only to the extent that such person com¬ 
plies with the requirements under (A). 

(22) Significant privacy har m.— The term 
“significant privacy harm” means adverse con¬ 
sequences to an individual arising from the collec¬ 
tion, processing, maintenance, or disclosure of per- 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16VESHOO\ESHOO_038.XML 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


18 

sonal information, limited to subparagraph (A), (B), 
or (D) of paragraph (14). 

(23) S mal l business. —The term “small busi¬ 
ness” means a covered entity that— 

(A) does not earn revenue from the sale of 
personal information; 

(B) earns less than half of annual revenues 
from the processing of personal information for 
targeted or personalized advertising; 

(C) has not, at any time during the pre¬ 
ceding 6-month period, maintained personal in¬ 
formation of 250,000 or more individuals; 

(D) has fewer than 200 employees; and 

(E) received less than $25,000,000 in 
gross revenue in the preceding 12-month pe¬ 
riod. 

(24) State.— The term “State” means each 
State of the United States, the District of Columbia, 
each commonwealth, territory, or possession of the 
United States, and each federally recognized Indian 
Tribe. 

(25) Third party.— The term “third party” 
means, with respect to a covered entity, a person— 

(A) to whom such covered entity disclosed 
personal information; and 
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1 (B) is not— 

2 (i) such covered entity; 

3 (ii) a subsidiary or corporate affiliate 

4 of such covered entity; or 

5 (iii) a service provider of such covered 

6 entity. 

7 SEC. 3. PROHIBITION ON WAIVERS. 

8 (a) In General. —The provisions under this Act 

9 may not be waived. Any agreement purporting to waive 

10 compliance with or modify any provision of this Act shall 

11 be void as contrary to public policy. 

12 (b) Prohibition on Predispute Arbitration 

13 Agreements. —No predispute arbitration agreement 

14 shall be valid or enforceable with respect to any claims 

15 under this Act. 

16 SEC. 4. EFFECTIVE DATE. 

17 (a) In General. —This Act shall apply beginning on 

18 the date that is 1 year after the date of the enactment 

19 of this Act. 

20 (b) Authority to Promulgate Regulations and 

21 Take Certain Other Actions. —Nothing in subsection 

22 (a) affects the authority to take an action expressly re- 

23 quired by a provision of this Act to be taken before the 

24 effective date described in such subsection. 
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1 SEC. 5. JOURNALISM PROTECTION. 

2 (a) In General. —Covered entities engaged in jour- 

3 nalism shall not be subject to the obligations imposed 

4 under this Act to the extent that those obligations directly 

5 infringe on the journalism rather than the business prac- 

6 tices of the covered entity, so long as, the covered entity 

7 has technical safeguards and business processes that pre- 

8 vent the collection, processing, maintaining, or disclosure 

9 of snch personal information for business practices other 

10 than j onrnalism 

11 (b) Journalism. —The term “journalism” includes 

12 the collecting, maintaining, processing, and disclosing of 

13 personal information about a public individual or official, 

14 or that otherwise concerns matters of public interest, for 

15 dissemination to the public. 

16 SEC. 6. SMALL BUSINESS COMPLIANCE RAMP. 

17 Upon losing its status as a small business, a covered 

18 entity shall have nine months to comply with provisions 

19 of this Act that a small business is exempt from complying 

20 with. 

21 SEC. 7. CRIMINAL PROHIBITION ON DISCLOSING PER- 

22 SONAL INFORMATION. 

23 Chapter 41 of title 18, United States Code, is amend- 

24 ed by adding at the end the following: 
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1 “§881. Disclosure of personal information with the 

2 intent to cause harm 

3 “Whoever uses a channel of interstate or foreign com- 

4 merce to knowingly disclose an individual’s personal iufor- 

5 mation— 

6 “(1) with the intent to threaten, intimidate, or 

7 harass any person, incite or facilitate the commis- 

8 sion of a crime of violence against any person, or 

9 place any person in reasonable fear of death or seri- 

10 ous bodily injury; or 

11 “(2) with the intent that the information will be 

12 used to threaten, intimidate, or harass any person, 

13 incite or facilitate the commission of a crime of vio- 

14 lence against any person, or place any person in rea- 

15 sonable fear of death or serious bodily injury, 

16 shall be fined under this title or imprisoned not more than 

17 5 years, or both.”. 

18 SEC. 8. LIMITATION ON DISCLOSING NONREDACTED GOV- 

19 ERNMENT RECORDS. 

20 (a) In General. —A Federal or State government 

21 entity may not use a channel of interstate commerce to 

22 disclose the personal information of an individual in a gov- 

23 eminent record without an agreement prohibiting the re- 

24 cipient of such information from selling the information 

25 without the express consent of the individual for each dis- 

26 closure. 
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1 (b) Exception. —Notwithstanding subsection (a), 

2 nothing in this section shall prohibit the disclosure of per- 

3 sonal information using a channel of interstate commerce 

4 to another government entity without consent of the indi- 

5 vidnal. 

6 TITLE I—INDIVIDUAL RIGHTS 

7 SEC. 101. RIGHT OF ACCESS. 

8 (a) In General. —A covered entity shall make avail- 

9 able a reasonable mechanism by which an individual may 

10 access— 

11 (1) the categories of personal information and 

12 contents of communications of such individual that 

13 is maintained by such covered entity, including, in 

14 the case of personal information that such covered 

15 entity did not collect from such individual, how and 

16 from whom such covered entity obtained such per- 

17 sonal information; 

18 (2) a list of the third parties, subsidiaries, and 

19 corporate affiliates, to which such covered entity has 

20 disclosed and from which such covered entity has, at 

21 any time on or after the effective date specified in 

22 section 4(a), obtained the personal information of 

23 such individual; 
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1 (3) a concise and clear description of the bnsi- 

2 ness or commercial purposes of such covered enti- 

3 ty— 

4 (A) for collecting, processing, or maintain- 

5 ing the personal information of sncli individual; 

6 and 

7 (B) for disclosing to a third party the per- 

8 sonal information of sncli individual; and 

9 (4) a list of automated decision-making proc- 

10 esses that an individual has a right to request 

11 human review of under section 105 with a concise 

12 and clear description of the implications and in- 

13 tended effects of such process. 

14 (b) Exception for Publicly Accessibly Infor- 

15 mation.—A covered entity that makes available informa- 

16 tion required in subsection (a) shall be considered in com- 

17 pliance with such requirements if the covered entity pro- 

18 vides an individual instructions on how to access a public 

19 posting of such information, including in a privacy policy, 

20 if the instructions are easy and do not require payment. 

21 (c) Small Businesses Excluded. —Subsection 

22 (a)(3) does not apply to a small business. 

23 SEC. 102. RIGHT OF CORRECTION. 

24 (a) Dispute by Ixdiyidlal.—A covered entity shall 

25 make available a reasonable mechanism by which an indi- 
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vidual may dispute the accuracy or completeness of per¬ 
sonal information linked to such individual that is main¬ 
tained by such covered entity if such information is proc¬ 
essed in any way, by such covered entity, a third party 
of such covered entity, or a service provider of such cov¬ 
ered entity that may increase reasonably foreseeable sig¬ 
nificant privacy harms. 

(b) Correction by Covered Entity.— A covered 
entity receiving a dispute under subsection (a) shall— 

(1) correct or complete (as the case may be) the 
disputed information and notify such individual that 
the correction or completion has been made; or 

(2) notify such individual that— 

(A) the disputed information is correct or 
complete; 

(B) such covered entity lacks sufficient in¬ 
formation to correct or complete the disputed 
information; or 

(C) such covered entity is denying the re¬ 
quest for correction or completion in reliance on 
an exemption or exception provided by section 
109(g) (with the notification containing an 
identification of the specific exemption or excep¬ 
tion relied upon). 
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1 (c) Small Businesses Excluded. —This section 

2 does not apply to a small business. 

3 SEC. 103. RIGHT OF DELETION. 

4 (a) Bequest by Individu al .—A covered entity 

5 shall make available a reasonable mechanism by which an 

6 individual may request the deletion of personal informa- 

7 tion and contents of communications of such individual 

8 maintained by such covered entity, including any such in- 

9 formation that such covered entity acquired from a third 

10 party or inferred from other information maintained by 

11 such covered entity. 

12 (b) Deletion by Covered Entity. —A covered en- 

13 tity receiving a request for deletion under subsection (a) 

14 shall— 

15 (1) delete such information and notify such in- 

16 dividual that such information has been deleted; or 

17 (2) notify such individual that such covered en- 

18 tity is denying the request for deletion in reliance on 

19 an exemption or exception provided by section 

20 109(g) (with the notification containing an identi- 

21 fication of the specific exemption or exception relied 

22 upon). 

23 SEC. 104. RIGHT OF PORTABILITY. 

24 (a) Determination of Portable Categories.— 
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(1) Annual determination.— Not less fre¬ 
quently than once per year, the Director shall— 

(A) establish categories of products and 
services offered by covered entities, based on 
similarities in the products and services; 

(B) determine which categories established 
under subparagraph (A) are portable categories; 
and 

(C) publish in the Federal Register a list 
of portable categories determined under sub- 
paragraph (B). 

(2) Opportunity for public comment. —Be¬ 
fore publishing the final list under paragraph (1)(C), 
the Director shall— 

(A) publish a draft of such list in the Fed¬ 
eral Register; and 

(B) provide for an opportunity for public 
comment on such draft list. 

(b) Exercise of Right.— 

(1) In general. —A covered entity that offers 
a product or service in a portable category shall 
make available to an individual whose personal infor¬ 
mation or contents of communications such entity 
maintains a reasonable mechanism by which such in¬ 
dividual may— 
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(A) download, in a format that is struc¬ 
tured, commonly used, and machine-readable— 

(i) any personal information of such 
individual that such individual has pro¬ 
vided to such covered entity, with the op¬ 
tion to download such information by cat¬ 
egory that is accessible under section 101 
of this Act; and 

(ii) any contents of communications; 

and 

(B) using a real-time application program¬ 
ming interface, or similar mechanism, transmit 
all personal information and contents of com¬ 
munications of or related to such individual 
(whether or not provided to such covered entity 
by such individual) from such covered entity to 
another covered entity in accordance with sub¬ 
section (c). 

(2) Requirements for application pro¬ 
gramming INTERFACE.— The application program¬ 
ming interface, or similar mechanism, required by 
paragraph (1)(B) shall— 

(A) be publicly documented; 

(B) allow the option of data to be obtained 
by categoiy that is accessible under section 101; 
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(C) include a publicly available, fully func¬ 
tional test version for development purposes; 
and 

(D) be of similar quality to mechanisms 
used internally by the covered entity. 

(c) Requirements for Access to Application 
Programming Interface.— 

(1) Access.—A covered entity shall provide ac¬ 
cess to the application programming interface or 
similar mechanism required by subsection (b)(1)(B) 
upon the request of another covered entity if the re¬ 
questing covered entity has self-certified, using the 
procedures established by the Director under para¬ 
graph (3)(A), that such requesting covered entity— 

(A) is a covered entity; 

(B) can have personal information dis¬ 
closed to it under section 205 of this Act; 

(C) is, at the time of the self-certification, 
in compliance with all requirements of this Act 
(including provisions a small business is other¬ 
wise exempt from complying with); 

(D) wall continue to comply with all re¬ 
quirements of this Act; and 
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(E) will only use sucli application program¬ 
ming interface or similar mechanism at the ex¬ 
press request of an individual. 

(2) Denial of access.— 

(A) In general.— A covered entity may 
deny access to the application programming 
interface or similar mechanism required by sub¬ 
section (b)(1)(B) if such covered entity has an 
objective, reasonable belief that the requesting 
covered entity has failed to meet the require¬ 
ments for self-certification under paragraph (1). 

(B) Review.—In accordance with the pro¬ 
cedures established under paragraph (3)(B), a 
covered entity the request of which is denied 
under subparagraph (A) may petition the Di¬ 
rector for review of the denial. If the Director 
finds that such denial is unreasonable, the Di¬ 
rector may impose a penalty, to be established 
in such procedures, on the covered entity that 
denied the request. 

(3) Certification and review proce¬ 
dures. —The Director shall establish— 

(A) procedures for a covered entity to self- 
certify under paragraph (1); and 
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(B) procedures for the review of petitions 
under paragraph (2)(B), including penalties for 
unreasonable denials. 

(d) Small Businesses Excluded.— This section 
does not apply to a small business. 

(e) Definitions.— In this section: 

(1) Portable category.— The term “portable 
category” means a category of products and services 
established by the Director under subsection 
(a)(1)(A)— 

(A) for which the sum obtained by adding 
the number of users or estimated users of each 
product or service in such categoiy is greater 
than 10,000,000; and 

(B) that— 

(i) has an estimated Herfindalil- 
Hirschman Index of 2,000 or greater; 

(ii) the total number of covered enti¬ 
ties offering products and services in such 
categoiy is 3 or less; or 

(iii) the Director otherwise determines 
that a categoiy would benefit from encour¬ 
aging increased competition. 

(2) Users.— The term “users” means, with re¬ 
spect to a product or service, the monthly active 
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1 users, subscribers, or customers (or a reasonable 

2 proxy or substitute therefor determined by the Di- 

3 rector) of such product or service. 

4 SEC. 105. RIGHT TO HUMAN REVIEW OF AUTOMATED DECI- 

5 SIONS. 

6 For any decision by a covered entity based solely on 

7 automated processing of personal information of an indi- 

8 vidual, if such processing increases reasonably foreseeable 

9 significant privacy harms for such individual, such covered 

10 entity shall— 

11 (1) inform such individual of what personal in- 

12 formation is or may be used for such decision; 

13 (2) make available a reasonable mechanism by 

14 which such individual may request human review of 

15 such decision; and 

16 (3) if such individual requests such a review, 

17 conduct such review within a reasonable amount of 

18 time after such request. 

19 SEC. 106. RIGHT TO INDIVIDUAL AUTONOMY. 

20 (a) In General.—A covered entity shall not collect, 

21 process, maintain, or disclose an individual’s personal in- 

22 formation to: 

23 (1) create, improve upon, or maintain; 

24 (2) process with; or 

25 (3) otherwise link an individual with; 
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1 an algorithm, model, or other means designed for beliav- 

2 ioral personalization, without the affirmative express con- 

3 sent of that individual. 

4 (b) Consent.— A covered entity must obtain express 

5 affirmative consent from an individual before it may pro- 

6 vide a behaviorally personalized version of a product or 

7 service. Where consent is denied, a covered entity mnst 

8 provide the product or service without behavioral personal- 

9 ization. 

10 (c) Exceptions to Providing Product or Serv- 

11 ice.— 

12 (1) Where the offering of a substantially similar 

13 product or service without behavioral personalization 

14 is infeasible, a covered entity shall provide, to the 

15 greatest extent feasible, a core aspect or part of the 

16 product or service that can be offered without beliav- 

17 ioral personalization. 

18 (2) Where no core aspect or part of the product 

19 or service can function in a substantially similar 

20 function without behavioral personalization, a cov- 

21 ered entity may deny providing an individual use of 

22 such product or service if such individual does not 

23 consent to behavioral personalization as required in 

24 subsection (a). 
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1 (d) Exception to Behavioral Processing. —Not- 

2 withstanding subsections (a) and (b), a covered entity may 

3 create or process using behavioral personalization algo- 

4 rithms, models, or other mechanisms for the purpose of 

5 increasing the usability of the product or service provided 

6 by a covered entity that— 

7 (1) are built using aggregated personal infor- 

8 mation that is representative of all the personal in- 

9 formation the covered entity maintains; and 

10 (2) have an output that is both uniform across 

11 the individuals that use the product or sendee and 

12 independent of a specific individual’s inherent or be- 

13 havioral characteristics. 

14 (e) Usability. —The term “usability” as used in 

15 subsection (d) does not include optimizations or other al- 

16 terations to the product or service that are made with the 

17 primary purpose of increasing the amount of time an indi- 

18 vidual engages with or uses the product or sendee, unless 

19 such increase benefits the individual 

20 (f) Small Businesses Excluded. —This section 

21 does not apply to a small business. 

22 SEC. 107. RIGHT TO BE INFORMED. 

23 A covered entity that collects personal information of 

24 an individual with whom such covered entity does not have 

25 an existing relationship (as of the time of the collection), 
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1 if such personal information includes contact information, 

2 shall notify such individual within 30 days, in writing if 

3 possible and at no charge to the individual, that such cov- 

4 ered entity has collected the personal information of such 

5 individual. 

6 SEC. 108. RIGHT TO IMPERMANENCE. 

7 (a) Limitation on Maintenance of Perso nal In- 

8 formation. —A covered entity shall not maintain per- 

9 sonal information for more time than expressly consented 

10 to by an individual whose personal information is being 

11 maintained. 

12 (b) Consent.—A covered entity must obtain express 

13 affirmative consent from an individual before maintaining 

14 the personal information of such individual for any dura- 

15 tion. Such consent may be obtained for categories of per- 

16 sonal information and shall give an individual options to 

17 affirmatively choose granting a covered entity consent for 

18 various durations, at least including— 

19 (1) for no longer than needed to complete the 

20 specific request or transaction (including a reason- 

21 able estimate of such duration by the covered enti- 

22 ty); 

23 (2) until consent is revoked; and 

24 (3) one or more additional durations based on 

25 reasonable expectations and norms for the mainte- 
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nance of the category of personal information being 
maintained. 

(c) Exception for Implied Consent. —-Where the 
long-term maintenance of personal information is, on its 
face, obvious and a core feature of the product or service 
at the request of the individual, and the personal informa¬ 
tion is maintained only to provide sncli product or service, 
subsections (a) and (b) shall not apply. 

SEC. 109. EXEMPTIONS, EXCEPTIONS, FEES, TIMELINES, 
AND RULES OF CONSTRUCTION FOR RIGHTS 
UNDER THIS TITLE. 

(a) Exemptions for Personal Information for 
Particular Purposes.— 

(1) In general. —This title does not apply 
with respect to personal information that is col¬ 
lected, processed, maintained, or disclosed for any of 
the following purposes (or a combination of such 
purposes), where a covered entity has technical safe¬ 
guards and business processes that limit the collec¬ 
tion, processing, maintaining, or disclosure of such 
personal information to the following purposes: 

(A) Detecting, responding to, or preventing 
security incidents or threats. 

(B) Protecting against malicious, decep¬ 
tive, fraudulent, or illegal activity. 
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(C) Complying with specific law enforce¬ 
ment requests or court orders. 

(D) Protecting a legally recognized privi¬ 
lege or other legal right. 

(E) Protecting public safety. 

(F) Collection, processing, or maintenance 
by an employer pursuant to an employer-em¬ 
ployee relationship of records about employees 
or employment status, except— 

(i) where the information would not 
be reasonably expected to be collected in 
the context of an employee’s regular du¬ 
ties; or 

(ii) was disclosed to the employer by 
a third party. 

(G) Preventing prospective abuses of a 
service by an individual whose account has been 
previously terminated. 

(H) Routing a communication through a 
communications network or resolving the loca¬ 
tion of a host or client on a communications 
network. 

(I) Providing transparency in advertising 
or origination of user generated content. 
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1 (2) Reidentification. —Where compliance 

2 with this title would require the reidentification of 

3 de-identified personal information, and the covered 

4 entity does not already maintain the information 

5 necessary for such reidentification, the covered enti- 

6 ty shall be exempt from such compliance, except for 

7 with section 106. 

8 (3) Disclosure.—A covered entity relying on 

9 an exemption under paragraph (1) with respect to 

10 personal information shall disclose in the privacy 

11 policy maintained by such entity under section 

12 213— 

13 (A) the reason for which such information 

14 is collected, processed, maintained, or disclosed; 

15 and 

16 (B) a description of the rights provided by 

17 this title that are not available with respect to 

18 such personal information by reason of such ex- 

19 emption. 

20 (b) Exceptions for Particular Requests.— 

21 (1) In general. —A covered entity may deny 

22 the request of an individual under this title if— 

23 (A) such covered entity cannot confirm the 

24 identity of such individual; 
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(B) sucli covered entity determines that 
granting the request of such individual would 
create a legitimate risk to the privacy, security, 
safety, or other rights of another individual; 

(C) such covered entity determines that 
granting the request of such individual would 
create a legitimate risk to free expression; or 

(D) the personal information requested to 
be corrected under section 102 or deleted under 
section 103— 

(i) is necessary to the completion of a 
transaction initiated before such request 
was made or the performance of a contract 
entered into before such request was made; 

(ii) was collected specifically for the 
completion of such transaction or the per¬ 
formance of such contract; and 

(iii) would undermine the integrity of 
a legally significant transaction. 

(2) Limitations on requests for addi¬ 
tional INFORMATION TO CONFIRM IDENTITY.— A 
covered entity may not deny a request of an indi¬ 
vidual under paragraph (1) (A) on the basis of the 
refusal of such individual to provide additional per- 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16\ESHOO\ESHOO_038.XML 

39 

1 sonal information to snch covered entity to confirm 

2 the identity of sncli individual— 

3 (A) if the identity of snch individual can 

4 reasonably be confirmed using personal infor- 

5 mation of such individual that such covered en- 

6 tity (as of the time of the request) already 

7 maintains; or 

8 (B) if such individual has an existing rela- 

9 tionsliip (as of the time of the request) with 

10 such covered entity, such individual has con- 

11 firmed the identity of such individual to such 

12 covered entity in the same manner as for other 

13 transactions of a similar sensitivity. 

14 (c) Exemption for Service Providers. —This 

15 title does not apply to a service provider. 

16 (d) Exemption for Privacy Preserving Com- 

17 pitting. —Except for sections 101, 105, 106, and 109, 

18 this title does not apply to personal information secured 

19 using privacy preserving computing. 

20 (e) Timeline for Complying With a Request.— 

21 Without undue delay but not longer than 30 days after 

22 the request, a covered that receives a request under this 

23 title must— 

24 (1) comply with such request; or 
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1 (2) inform such individual of the reason for de- 

2 nying such request, as allowed under subsections (a) 

3 or (b) of this section. 

4 (f) Fees Prohibited. — 

5 (1) In general. —Except as provided in para- 

6 graph (2), a covered entity may not charge a fee to 

7 an individual for a request made under this title. 

8 (2) Unfounded or excesswe requests. —If 

9 a request under this title is unfounded or excessive, 

10 a covered entity may charge a reasonable fee that 

11 reflects the estimated administrative costs of com- 

12 plying with such request. 

13 (3) Agency notice. —If a covered entity plans 

14 to charge fee under paragraph (2), it must notify 

15 the Agency at least 7 days before charging such fee. 

16 (4) Agency review. —The Director may reject 

17 any fee that a covered entity plans to charge for a 

18 request made under this title if the Agency finds— 

19 (A) such fee to be unreasonable relative to 

20 reasonable administrative costs of complying 

21 with a request under this title; or 

22 (B) such request is not unfounded or ex- 

23 cessive. 

24 (g) Pules of Construction. —Nothing in this title 

25 shall be construed to require a covered entity to— 
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1 (1) take an action that would convert informa- 

2 tion that is not personal information into personal 

3 information; 

4 (2) collect or maintain personal information or 

5 contents of communication that the covered entity 

6 would otherwise not maintain; or 

7 (3) maintain personal information or contents 

8 of communication longer than the covered entity 

9 would otherwise maintain such personal information. 

10 (li) Regulations. —The Director shall promulgate 

11 regulations to implement this section. 

12 TITLE II—REQUIREMENTS FOR 

13 COVERED ENTITIES, SERVICE 

14 PROVIDERS, AND THIRD PAR- 

15 TIES 

16 SEC. 201. MINIMIZATION AND ARTICULATED BASIS FOR 

17 COLLECTION, PROCESSING, AND MAINTE- 

18 NANCE. 

19 (a) Articulated Basis.—A covered entity shall 

20 have a reasonable, articulated basis for the collection, 

21 processing, disclosure, and maintenance of personal infor- 

22 mation that takes into account the reasonable business 

23 needs of the covered entity and minimum amount of per- 

24 sonal information necessary for providing the service, bal- 

25 anced with the intrusion on the privacy of, potential pri- 
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1 vacy harms to, and reasonable expectations of individuals 

2 to whom the personal information relates. 

3 (b) Minimization of Collection, Processing, 

4 Disclosure, and Maintenance.— 

5 (1) Collection.—A covered entity may not 

6 collect more personal information than is reasonably 

7 needed to provide a product or service that an indi- 

8 vidnal has requested. 

9 (2) Processing.—A covered entity may not 

10 process personal information for a purpose other 

11 than the purpose for which snch information was 

12 originally collected from the individual or in the case 

13 of a service provider, a purpose other than that 

14 which is in accordance with the directions of a cov- 

15 ered entity. 

16 (3) Disclosure.—A covered entity may not 

17 disclose personal information for a purpose other 

18 than the purpose for which sncli information was 

19 originally collected from the individual or in the case 

20 of a service provider, a purpose other than that 

21 which is in accordance with the directions of a cov- 

22 ered entity. 

23 (4) Maintenance. —A covered entity may not 

24 maintain personal information once snch information 

25 is no longer needed for the purpose for which snch 
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1 information was originally collected from tlie indi- 

2 vidnal or in the case of a service provider, a purpose 

3 other than that which is in accordance with the di- 

4 rections of a covered entity. 

5 (c) Ancillary Collection, Processing, Disclo- 

6 sure, and Maintenance. —Notwithstanding subsection 

7 (b), a covered entity may engage in collection, processing, 

8 disclosure, or maintenance of personal information beyond 

9 limitations under subsection (b) only if snch covered entity 

10 complies with this subsection. 

11 (1) No NOTICE or consent required.— A 

12 covered entity may engage in collection, processing, 

13 or maintenance of personal information without ad- 

14 ditional notice or consent if the purpose for sncli col- 

15 lection, processing, or maintenance is substantially 

16 similar to the type of personal information and pnr- 

17 pose for which snch personal information was origi- 

18 nally collected and snch ancillary collection, proc- 

19 essing, or maintenance will not result in additional 

20 or increased privacy harms. 

21 (2) Notice required.— A covered entity shall 

22 provide notice of ancillary collection, processing, dis- 

23 closure or maintenance of personal information in 

24 the case of one, but not more than one, of the fol- 

25 lowing: 
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(A) Such ancillary collection, processing, 
disclosure, or maintenance may result in addi¬ 
tional or increased privacy harms (but not in¬ 
creased significant privacy harms), and is sub¬ 
stantially similar to the purpose for which such 
personal information was originally collected 

(B) The purpose for such ancillary collec¬ 
tion, processing, disclosure, or maintenance is 
not substantially similar to the purpose for 
which such personal information was originally 
collected, but will not result in additional or in¬ 
creased privacy harms. 

(C) Such ancillary collection, processing, 
disclosure, or maintenance may result in addi¬ 
tional or increased privacy harms (but not in¬ 
creased significant privacy harms) and the pur¬ 
pose is not substantially similar to the purpose 
for which such personal information was origi¬ 
nally collected, so long as, the personal informa¬ 
tion is secured using privacy preserving com¬ 
puting. 

(3) Notice and consent required. —For 
scenarios not covered under paragraphs (1) or (2), 
and notwithstanding section 212(b)(2) and (3), a 
covered entity shall provide notice of and obtain con- 
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1 sent for ancillary collection, processing, disclosure or 

2 maintenance of personal information. 

3 (d) Substitution. —In cases in which personal in- 

4 formation can be replaced with artificial personal informa- 

5 tion, personal information that has been de-identified, or 

6 the random personal information of a one or more individ- 

7 nals without substantially reducing the utility of the data 

8 or requiring an unreasonable amount of effort, such a re- 

9 placement shall take place. 

10 SEC. 202. MINIMIZATION AND RECORDS OF ACCESS BY EM- 

11 PLOYEES AND CONTRACTORS. 

12 (a) Minimi z ation. —A covered entity shall restrict 

13 access to personal information and contents of com mu - 

14 nications by the employees or contractors of such covered 

15 entity based on an articulated balance between the poten- 

16 tial for privacy harm, reasonable expectations of individ- 

17 uals to whom the personal information relates, and reason- 

18 able business needs. 

19 (b) Records of Access.— 

20 (1) In general. —A covered entity shall main- 

21 tain records identifying each instance in which an 

22 employee or a contractor of such covered entity ac- 

23 cesses personal information or contents of conunu- 

24 nications if disclosure of, or a data breach or data 

25 sharing abuse involving, such personal information 
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1 or contents may foreseeably result in increased pri- 

2 vacy harms. 

3 (2) Information required. —The records re- 

4 qnired by paragraph (4) shall include the following: 

5 (A) A unique identifier for the employee or 

6 contractor accessing personal information or 

7 contents of communications. 

8 (B) The date and time of access. 

9 (C) The fields of information accessed. 

10 (D) The individuals whose personal infor- 

11 mation was accessed or the contents of whose 

12 communications were accessed. 

13 (3) Small businesses excluded.— This sub- 

14 section does not apply to a small business. 

15 SEC. 203. PROHIBITION ON THE COLLECTION OR MAINTE- 

16 NANCE OF PERSONAL INFORMATION. 

17 A covered entity may not collect or maintain personal 

18 information using a channel of interstate commerce unless 

19 such covered entity is in compliance with all requirements 

20 of this Act. 

21 SEC. 204. PROHIBITIONS ON THE DISCLOSURE OF PER- 

22 SONAL INFORMATION. 

23 (a) Consent for Disclosure Required.— 

24 (1) In general. —A covered entity may not in- 

25 tentionally disclose personal information unless the 
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covered entity obtains consent of the individual 
whose personal information is being disclosed for 
each categoiy of third party to which sncli personal 
information will be disclosed. Sncli covered entity 
must also provide sncli individual with notice of— 

(A) each categoiy of third party; 

(B) the personal information to be dis¬ 
closed; and 

(C) a concise and clear description of the 
business or commercial purpose for sncli disclo¬ 
sure. 

(2) Additio nal requirements for sale of 

PERSONAL INFORMATION.— 

(A) In general.— A covered entity may 
not intentionally sell personal information un¬ 
less the covered entity— 

(i) obtains the consent required by 
paragraph (1) for each individual disclo¬ 
sure of such person information; and 

(ii) and provides the individual to 
whom such personal information relates 
with the identity of the specific third party 
to which such personal information will be 
disclosed. 
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1 (B) Disclosure services. —Subpara- 

2 graph (A) shall not apply to a covered entity in 

3 a case in which an individual is directing the 

4 covered entity to disclose the personal informa- 

5 tion of snch individual for the sole purpose of 

6 procuring goods or services, or offers for goods 

7 or services, for such individual, if there is a rea- 

8 sonable mechanism for the individual to with- 

9 draw consent. 

10 (3) Requirement to include original pur- 

11 POSE OF collection.— A covered entity may not 

12 intentionally disclose personal information without 

13 including the purpose for which the personal infor- 

14 mation was originally collected. 

15 (4) Exception for privacy preserving 

16 computing. —Notwithstanding paragraph (1), con- 

17 sent is not required for a disclosure (not including 

18 sale) of personal information secured using privacy 

19 preserving computing. 

20 (5) Exception for de-identified personal 

21 information. —Notwithstanding paragraph (1), 

22 consent is not required for a disclosure (not includ- 

23 ing sale) of de-identified personal information where 

24 the disclosed personal information is limited to the 

25 narrowest possible scope likely to yield the intended 
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1 benefit and contractual obligations are in place that 

2 prohibit— 

3 (A) re-identification of the disclosed per- 

4 sonal information; and 

5 (B) the processing of additional personal 

6 information in combination with the disclosed 

7 personal information that would allow for the 

8 reidentification of the disclosed personal infor- 

9 mation. 

10 (b) Disclosure for Advertising or Marketing 

11 Purposes.— 

12 (1) In general. —A covered entity may not in- 

13 tentionally disclose for advertising or marketing pnr- 

14 poses a unique identifier or any other personal infor- 

15 mation that would allow the disclosure of sncli infor- 

16 mation to be linked to past or future disclosures of 

17 information relating to the same individual or device. 

18 (2) Treatment of certain types of infor- 

19 mation.—A disclosure for advertising or marketing 

20 purposes may not be treated as violating snbpara- 

21 graph (1) by reason of including any or all of the 

22 following: 

23 (A) Internet Protocol addresses truncated 

24 to no more than the first 24 bits for Internet 

25 Protocol version 4 and the first 48 bits for 
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1 Internet Protocol version 6, or for a successor 

2 protocol truncated to limit the precision of the 

3 identifier to a network address of the internet 

4 access provider. 

5 (B) Geolocation information truncated to 

6 allow no more than the equivalent of two dec- 

7 imal degrees of precision at the equator or 

8 prime meridian, or an equivalent precision in 

9 another geolocation standard. 

10 (C) A general description of a device, 

11 browser, or operating system, or any combina- 

12 tion thereof. 

13 (D) An identifier that is unique for each 

14 disclosure. 

15 SEC. 205. DISCLOSURE TO ENTITIES NOT SUBJECT TO 

16 UNITED STATES JURISDICTION OR NOT COM- 

17 PLIANT WITH THIS ACT. 

18 (a) Prohibition. —A covered entity may not inten- 

19 tionally disclose personal information to any entity that— 

20 (1) is not subject to the jurisdiction of the 

21 United States; or 

22 (2) is not in compliance with all requirements 

23 of this Act. 

24 (b) Exception. —Notwithstanding subsection (a), a 

25 covered entity may disclose personal information where 
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that personal information is limited to an identifier cre¬ 
ated primarily for the purpose of sending or receiving elec¬ 
tronic communications and the sole purpose of the disclo¬ 
sure is to send or receive an electronic communication at 
the request of the individual whose personal information 
is being disclosed. 

(c) Disclosure Safe Harbors. —Notwithstanding 
subsection (a), a covered entity may disclose personal in¬ 
formation to another covered entity (the receiving covered 
entity) that is not subject to the jurisdiction of the United 
States if either— 

(1) the receiving covered entity has entered into 
an agreement, as described in subsection (e), with 
the Agency, and— 

(A) the covered entity has a reasonable be¬ 
lief that the receiving covered entity is suffi¬ 
ciently solvent to compensate victims or pay 
fines for violations of this Act; 

(B) a contract between the covered entity 
and receiving covered entity requires that the 
receiving covered entity complies with this Act, 
and the covered entity has reason to believe the 
receiving covered entity is compliant with this 
Act; and 
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(C) a contract between the covered entity 
and the receiving covered entity prohibits the 
receiving covered entity from using the dis¬ 
closed personal information for any purpose 
other than provided in the contract; or 
(2) the covered entity has— 

(A) entered into an agreement with the re¬ 
ceiving covered entity that— 

(i) requires the receiving covered enti¬ 
ty to comply with this Act; 

(ii) prohibits the receiving covered en¬ 
tity from using the disclosed personal in¬ 
formation for any purpose other than pro¬ 
vided in the contract; 

(iii) requires the receiving covered en¬ 
tity to indemnify the covered entity against 
violations of this Act committed by the re¬ 
ceiving covered entity for any amount the 
covered entity is unable to pay of a judg¬ 
ment for such violation; 

(iv) grants the covered entity the au¬ 
thority to audit, including physical access 
to electronic devices and data, the receiving 
covered entity’s compliance with this Act 
and the contract; and 
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(v) requires the receiving covered enti¬ 
ty to assist the covered entity in respond¬ 
ing to and complying with any court or¬ 
ders, Agency orders, or the exercising of 
an individual’s rights under this Act. 

(B) actual knowledge that the receiving 
covered entity is in compliance with this Act 
and not using personal information contrary to 
their agreement; 

(C) actual knowledge that the receiving 
covered entity is sufficiently solvent to com¬ 
pensate victims or pay fines for violations of 
this Act; 

(D) an auditing and compliance program 
to ensure the receiving covered entity’s contin¬ 
ued compliance with this Act and contract 
terms; 

(E) filed with the Agency the terms of said 
contract, proof of its actual knowledge of the 
receiving covered entity’s compliance with this 
Act and contract terms, and documents detail¬ 
ing its auditing and compliance program for ap¬ 
proval and publication by the Agency; and 

(F) the covered entity has entered into an 
agreement with the Agency where it agrees to 
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1 accept, respond to, or comply with a court 

2 order, agency order, or request by an individual 

3 regarding actions taken by tlie receiving covered 

4 entity with respect to the data it lias disclosed. 

5 (d) For the purposes of subsection (c)(2), the covered 

6 entity shall be jointly liable for a violation of this Act by 

7 the receiving covered entity regarding the data the covered 

8 entity disclosed, except where the covered entity was the 

9 first to notify the Agency of the violation, in which case, 

10 it shall be severally liable. Where the covered entity should 

11 reasonably have known of a violation of this Act by the 

12 receiving covered entity and fails to disclose the violation 

13 to the Agency, each day of continuance of the failure to 

14 report such violation shall be treated as a separate viola- 

15 tion. 

16 (e) Agency Agreements.—U pon the request of a 

17 covered entity not subject to the jurisdiction of the United 

18 States, the Agency shall enter into an agreement with the 

19 covered entity that includes, but is not limited to, the fol- 

20 lowing conditions: 

21 (1) The principle place of business for the cov- 

22 ered entity must be in a country that allows for the 

23 domestication of a United States court decision for 

24 civil fines payable to a government entity and in- 

25 junctive relief. Where a foreign court refuses to en- 
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1 force a United States court decision under this Act, 

2 the agreement, and all other agreements with cov- 

3 ered entities with a principle place of business in the 

4 same jurisdiction, shall be void. 

5 (2) The covered entity agrees to comply with 

6 this Act. 

7 (3) The covered entity agrees to be subject to 

8 this Act with choice of venue being a United States 

9 court. 

10 (4) The covered entity agrees to comply with 

11 Agency investigative requests or orders, and United 

12 States court orders or decisions under this Act. 

13 (5) The covered entity consents to United 

14 States Federal court personal jurisdiction for the 

15 sole purpose of enforcing this Act. 

16 (6) Where enforcement of the decision requires 

17 the use of a foreign court, the covered entity agrees 

18 to pay reasonable attorney fees necessary to enforce 

19 the j udgment. 

20 (7) A default judgment, failure to comply with 

21 Agency investigative requests or orders, or failure to 

22 comply with United States court orders or decisions 

23 shall result in the immediate termination of the 

24 agreement. 
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1 (f) Rule of Construction Against Data Local- 

2 ization. —Nothing in this section shall be constmed to 

3 require the localization of processing or maintaining per- 

4 sonal information by a covered entity to within the United 

5 State, or limit internal disclosure of personal information 

6 within a covered entity or to subsidiary or corporate affil- 

7 iate of such covered entity, regardless of the country in 

8 which the covered entity will process, disclose, or maintain 

9 that personal information. 

10 SEC. 206. PROHIBITION ON REIDENTIFICATION. 

11 (a) In General. —Except as required under title I, 

12 a covered entity shall not use personal information col- 

13 lected from an individual, acquired from a third party, or 

14 acquired from a publicly available information to reiden- 

15 tify an individual from de-identified information. 

16 (b) Third Party Prohibition. —A covered entity 

17 that discloses de-identified information to a third party 

18 shall prohibit such third party from reidentifying an indi- 

19 vidual using such de-identified information. 

20 (c) Exception. —Subsection (a) shall not apply to 

21 qualified research entities, as determined by the Director, 

22 conducting research not for commercial purposes. 
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1 SEC. 207. RESTRICTIONS ON COLLECTION, PROCESSING 

2 AND DISCLOSURE OF CONTENTS OF COMMU- 

3 NICATIONS. 

4 (a) In General.—A covered entity may not collect, 

5 process, maintain, or disclose the contents of any conunn- 

6 nication, regardless of whether the sender or intended re- 

7 cipient of the communication is an individual, other per- 

8 son, or an electronic device, for any purpose other than— 

9 (1) transmission or display of the communica- 

10 tion to any intended recipient or the original sender, 

11 or maintenance of such communications for such 

12 purposes; 

13 (2) detecting, responding to, or preventing secu- 

14 rity incidents or threats; 

15 (3) providing services to assist in the drafting 

16 or creation of the content of a communication; 

17 (4) processing expressly requested by the sender 

18 or intended recipient, if the sender or intended re- 

19 cipient can terminate such processing using a rea- 

20 sonable mechanism; 

21 (5) a disclosure otherwise required by law; 

22 (6) the filtering of a communication where pri- 

23 mary purpose of the communication is the conuner- 

24 cial advertisement or promotion of a commercial 

25 product or service; or 
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1 (7) detecting or enforcing an abuse or violation 

2 of the service’s terms of service that would result in 

3 either a temporary or permanent ban from using the 

4 service. 

5 (b) Intended Recipient. —A covered entity is not 

6 considered an intended recipient of a communication, or 

7 any communication used in the creation of the content of 

8 said communication, where— 

9 (1) at least one intended recipient is a natural 

10 person other than an employee or contractor of the 

11 covered entity; 

12 (2) at least one intended recipient is a person 

13 other than the covered entity; or 

14 (3) a purpose of the covered entity’s service is 

15 to maintain, at the direction of the sender, the con- 

16 tent of said communication for more than a transi- 

17 toiy period. 

18 (c) Sender, —The sender of a communication is the 

19 person for whom the communication, and its content, is 

20 disclosed at the direction of and on behalf of. 

21 (1) Where the sender is a natural person, they 

22 shall be the sender of the entire content of the com- 

23 muni cation, regardless of the original author of any 

24 portion of the content. 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16\ESHOO\ESHOO_038.XML 

59 

1 (2) Otherwise, a sender shall be the sender of 

2 only the content it was an original author of, or con- 

3 tent it received as an intended recipient. 

4 (d) Exception for Publicly Av ailab le Commu- 

5 nications. —Subsection (a) shall not apply where the con- 

6 tents of communication that are made publicly accessible 

7 by the sender without restrictions on accessibility other 

8 than the general authorization to access the services used 

9 to make the information accessible. 

10 (e) Encryption Protection. —A covered entity 

11 shall not— 

12 (1) prohibit or prevent a person from 

13 encrypting or otherwise rendering unintelligible the 

14 content of a communication using a means that pre- 

15 vents the covered entity from being able to decrypt 

16 or otherwise render intelligible said content; and 

17 (2) require or cause a person to disclose or cir- 

18 cumvent the means described in paragraph (1) to 

19 the covered entity that would allow it to render the 

20 content intelligible. 

21 (f) Service Providers Safe Harbor. —A service 

22 provider shall not be held liable for a violation of this sec- 

23 tion if such sendee provider is acting at the direction of 

24 and on behalf of a covered entity and has a reasonable 
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1 belief that the covered entity’s directions are in compliance 

2 with this section. 

3 SEC. 208. PROHIBITION ON DISCRIMINATORY PROCESSING. 

4 (a) Discrimination in Economic Opportuni- 

5 ties.—A covered entity shall not process personal infor- 

6 mation or contents of communication for advertising, mar- 

7 keting, soliciting, offering, selling, leasing, licensing, rent- 

8 ing, or otherwise commercially contracting for employ- 

9 ment, finance, healthcare, credit, insurance, housing, or 

10 education opportunities in a manner that discriminates 

11 against or otherwise makes opportunities unavailable on 

12 the basis of an individual’s protected class status. 

13 (b) Public Accommodations.—A covered entity 

14 shall not process personal information in a manner that 

15 segregates, discriminates in, or otherwise makes unavail- 

16 able the goods, services, facilities, privileges, advantages, 

17 or accommodations of any place of public accommodation 

18 on the basis of a person’s or a group’s protected class sta- 

19 tus. 

20 (c) The Director shall promulgate regulations to im- 

21 plement this section. 

22 SEC. 209. RESTRICTIONS ON GENETIC INFORMATION. 

23 (a) In General.— A covered entity may not collect, 

24 process, maintain, or disclose genetic information for any 

25 purpose other than— 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16\ESHOO\ESHOO_038.XML 

61 

1 (1) providing medical treatment or testing to 

2 the individual whose genetic information is being col- 

3 lected, processed, maintained, or disclosed; 

4 (2) research and services related to medical, 

5 historical, or population uses of genetic information, 

6 if, in the case of disclosure of genetic information— 

7 (A) such genetic information is only dis- 

8 closed to qualified research entities, as deter- 

9 mined by the Director; 

10 (B) additional personal information dis- 

11 closed with such genetic information is limited 

12 to the narrowest possible scope likely to yield 

13 the intended benefit; and 

14 (C) the covered entity limits, through con- 

15 tractual obligations, additional types of personal 

16 information that can be processed with the dis- 

17 closed genetic information and personal infor- 

18 mation. 

19 (3) a purpose specified by the Director by regu- 

20 lation, taking into account the potential privacy 

21 harms and potential benefits of such collection, proc- 

22 essing, maintenance, or disclosure; or 

23 (4) to comply with a Federal criminal investiga- 

24 tion request or order. 
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1 (b) Genetic Information Defined.—I n this sec- 

2 tion, the term “genetic information” has the meaning 

3 given sncli term in section 201 of the Genetic Information 

4 Nondiscrimination Act of 2008 (42 U.S.C. 2000ff). 

5 (c) Service Providers Safe Harbor,—A service 

6 provider shall not be held liable for a violation of this sec- 

7 tion if such service provider is acting at the direction of 

8 and on behalf of a covered entity and has a reasonable 

9 belief that is the covered entity’s directions are in compli- 

10 ance with this section. 

11 SEC. 210. REQUIREMENTS FOR NOTICE AND CONSENT 

12 PROCESSES AND PRIVACY POLICIES. 

13 (a) Minimum Threshold. —The Director shall es- 

14 tablisli a minimum threshold that a covered entity must 

15 meet for the percentage of individuals who read and un- 

16 derstand a notice or consent process or privacy policy re- 

17 quired by this Act. In establishing such minimum thresh- 

18 olds, the Director shall take into account expectations of 

19 individuals, potential privacy harms, and individuals’ 

20 awareness of privacy harms. 

21 (b) Consent Revocation. — A covered entity shall 

22 make available a reasonable mechanism by which an indi- 

23 vidual may revoke consent for any consent given under 

24 this Act. 

25 (c) Safe Harbor.— 
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1 (1) Approval procedures. —The Director 

2 shall develop procedures for analyzing and approving 

3 data submitted by a covered entity to establish that 

4 a notice and consent process or privacy policy of 

5 such covered entity meets the threshold established 

6 under subsection (a). 

7 (2) Presumption. —If a covered entity submits 

8 testing data to and receives an approval from the 

9 Director under paragraph (1) establishing that a no- 

10 tice or consent process or privacy policy of such cov- 

11 ered entity meets the threshold established under 

12 subsection (a), such notice or consent process or pri- 

13 vacy policy shall be presumed to have met such 

14 threshold. Such presumption may be rebutted by 

15 clear and convincing evidence. 

16 (3) Public a vaila bility of approved proc- 

17 ESSES AND POLICIES AND ASSOCIATED TESTING 

18 data. —The Director shall make publicly available 

19 online the notice and consent processes and privacy 

20 policies and associated testing data that the Director 

21 approves under paragraph (1). 

22 (4) S mal l business adoption of notice or 

23 CONSENT PROCESS OF ANOTHER COVERED ENTI- 

24 TY.— 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16VESHOO\ESHOO_038.XML 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


64 

(A) In general.— If a small business 
adopts a notice or consent process of another 
covered entity that collects, processes, main¬ 
tains, or discloses personal information in sub¬ 
stantially the same way as such small business, 
if the process of such other covered entity has 
been approved under paragraph (1), the process 
of such small business shall receive the pre¬ 
sumption under paragraph (2). 

(B) Ability to freely use approved 
PROCESS. —A covered entity whose notice or 
consent process is approved under paragraph 
(1) shall permit a small business to freely use 
such process, or a derivative thereof, as de¬ 
scribed in subparagraph (A). 

(C) No published PROCESS. —In the case 
of a small business for which there is no ap¬ 
proved notice or consent process published 
under paragraph (3) of a covered entity that 
collects, processes, maintains, or discloses per¬ 
sonal information in substantially the same way 
as such small business, any requirement under 
this title for a notice or consent process to be 
objectively shown to meet the threshold estab¬ 
lished by the Director under subsection (a) 
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1 shall not apply to such small business. Nothing 

2 in the preceding sentence exempts a small busi- 

3 ness from the requirement to use such notice or 

4 consent process or that such process be concise 

5 and clear. 

6 (D) Inapplicability to privacy pol- 

7 ICY. —Paragraph (4) does not apply with re- 

8 spect to a privacy policy. 

9 (5) Minor changes. —A covered entity may 

10 make minor changes in a notice or consent process 

11 or privacy policy approved under paragraph (1) and 

12 retain the presumption under paragraph (2) for such 

13 process or policy without retesting or resubmission 

14 of testing data to the Director. 

15 SEC. 211. PROHIBITION ON DECEPTIVE NOTICE AND CON- 

16 SENT PROCESSES AND PRIVACY POLICIES. 

17 In providing notice, obtaining consent, or maintaining 

18 a privacy policy as required by this title, a covered entity 

19 may not intentionally take any action that substantially 

20 impairs, obscures, or subverts the ability of an individual 

21 to— 

22 (1) understand the contents of such notice or 

23 such privacy policy; 

24 (2) understand the process for granting such 

25 consent; 
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1 (3) make a decision regarding whether to grant 

2 or withdraw sncli consent; or 

3 (4) act on any sncli decision. 

4 SEC. 212. NOTICE AND CONSENT REQUIRED. 

5 (a) Notice.—A covered entity shall provide an indi- 

6 vidnal with notice of the personal information sncli covered 

7 entity collects, processes, maintains, and discloses through 

8 a process that is concise and clear and can be objectively 

9 shown to meet the threshold established by the Director 

10 under section 210(a). 

11 (b) Consent.— 

12 (1) Express consent required. —Except as 

13 provided in paragraphs (2) and (3), a covered entity 

14 may not collect from an individual personal informa- 

15 tion that creates or increases the risk of foreseeable 

16 privacy harms, or process or maintain any such per- 

17 sonal information collected from an individual, un- 

18 less such entity obtains the express consent of such 

19 individual to the collection, processing, or mainte- 

20 nance (or any combination thereof) of such informa- 

21 tion through a process that is concise and clear and 

22 can be objectively shown to meet the threshold es- 

23 tablislied by the Director under section 210(a). 

24 (2) Exception for implied consent.—N ot- 

25 withstanding paragraph (1), express consent is not 
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1 required for collection, processing, or maintenance of 

2 personal information if tlie collection, processing, or 

3 maintenance is, on its face, obvious and necessary to 

4 provide a sendee at tlie request of the individual and 

5 the personal information is collected, processed, or 

6 maintained only for such request. Nothing in this 

7 paragraph shall be construed to exempt the covered 

8 entity from the requirement of subsection (a) to pro- 

9 vide notice to such individual with respect to such 

10 collection, processing, or maintenance. 

11 (3) Exemption for privacy preserving 

12 computing. —Notwithstanding paragraph (1), ex- 

13 cept with regard to consent for purposes of section 

14 106, express consent is not required for collection, 

15 processing, or maintenance of personal information 

16 secured using privacy preserving computing. Nothing 

17 in this paragraph shall be construed to exempt the 

18 covered entity from the requirement of subsection 

19 (a) to provide notice to such individual with respect 

20 to such collection, processing, or maintenance. 

21 (c) Service Providers Excluded. —This section 

22 does not apply to a service provider if such service provider 

23 has a reasonable belief that a covered entity for which it 

24 processes, maintains, or discloses personal information is 

25 in compliance with this section. 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16\ESHOO\ESHOO_038.XML 

68 

1 SEC. 213. PRIVACY POLICY. 

2 (a) Policy Required.—A covered entity shall main- 

3 tain a privacy policy relating to the practices of snch entity 

4 regarding the collection, processing, maintenance, and dis- 

5 closure of personal information. 

6 (b) Contents. —The privacy policy required by snb- 

7 section (a) shall contain the following: 

8 (1) A general description of the practices of the 

9 covered entity regarding the collection, processing, 

10 maintenance, and disclosure of personal information. 

11 (2) A description of how individuals may exer- 

12 cise the rights provided by title I. 

13 (3) A clear and concise summary of the fol- 

14 lowing: 

15 (A) The categories of personal information 

16 collected or otherwise obtained by the covered 

17 entity. 

18 (B) The business or commercial purposes 

19 of the covered entity for collecting, processing, 

20 maintaining, or disclosing personal information. 

21 (C) The categories and a list of third par- 

22 ties to which the covered entity discloses per- 

23 sonal information. 

24 (4) A description of the personal information 

25 that the covered entity maintains that the covered 
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1 entity does not collect from individuals and liow the 

2 covered entity obtains sncli personal information. 

3 (5) A list of the third parties to which the cov- 

4 ered entity has disclosed personal information. 

5 (6) A list of the third parties from which the 

6 covered entity has obtained personal information at 

7 any time on or after the effective date specified in 

8 section 4(a). 

9 (7) The articulated basis for the collection, 

10 processing, disclosure and maintenance of personal 

11 information, as required under section 201(a). 

12 (c) Exemption for Personal Information for 

13 Particular Purposes. —The privacy policy required by 

14 subsection (a) is not required to contain information relat- 

15 ing to personal information that is collected, processed, 

16 maintained, or disclosed exclusively for any of the pur- 

17 poses described in paragraph (1) of section 109(a) (or a 

18 combination of such purposes), except as provided in para- 

19 graph (2) of such section. 

20 (d) Availability of Privacy Policy.— 

21 (1) Form and manner.—T he privacy policy 

22 required by subsection (a) shall be— 

23 (A) clear and in plain language; and 

24 (B) made publicly available in a prominent 

25 location on an ongoing basis. 
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1 (2) Timing.—T he privacy policy required by 

2 subsection (a) shall be made available as required by 

3 paragraph (1) before any collection of personal in- 

4 formation by the covered entity that occurs after the 

5 effective date specified in section 4(a). 

6 (e) S mal l Businesses Excluded.—S ubsections 

7 (b)(7) and (d) do not apply to a small business. 

8 (f) Service Providers Excluded.—T his section 

9 does not apply to a service provider if such service provider 

10 has a reasonable belief that a covered entity for which it 

11 processes, maintains, or discloses personal information is 

12 in compliance with this section. 

13 SEC. 214. INFORMATION SECURITY REQUIREMENTS. 

14 (a) In General.— A covered entity shall establish 

15 and implement reasonable information security policies, 

16 practices, and procedures for the protection of personal 

17 information collected, processed, maintained, or disclosed 

18 by such covered entity, taking into consideration— 

19 (1) the nature, scope, and complexity of the ac- 

20 tivities engaged in by such covered entity; 

21 (2) the sensitivity of any personal information 

22 at issue; 

23 (3) the current state of the art in administra- 

24 tive, technical, and physical safeguards for pro- 

25 tecting such information; and 
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1 (4) the cost of implementing such administra- 

2 tive, technical, and physical safeguards. 

3 (b) Point of Contact.—A covered entity shall iden- 

4 tify an officer or other individual as the point of contact 

5 with responsibility for the management of information se- 

6 curity. 

7 (c) Specific Policies, Practices, and Proce- 

8 dures. —The policies, practices, and procedures required 

9 by subsection (a) shall include the following: 

10 (1) A written security policy with respect to the 

11 collection, processing, maintenance, and disclosure of 

12 personal information. Such policy shall be made pub- 

13 licly available in a prominent location on an ongoing 

14 basis, except that the publicly available version is 

15 not required to contain information that would com- 

16 promise a purpose described in paragraph (1) of sec- 

17 tion 109(a). 

18 (2) A process for identifying and assessing rea- 

19 sonably foreseeable security vulnerabilities in the 

20 system or systems used by such covered entity that 

21 contain personal information, which shall include 

22 regular monitoring for vulnerabilities or data 

23 breaches involving such system or systems. 

24 (3) A process for taking action designed to 

25 mitigate against vulnerabilities identified in the 
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1 process required by paragraph (2), which may in- 

2 elude implementing any changes to security practices 

3 and the architecture, installation, or implementation 

4 of network or operating software, or for regularly 

5 testing or otherwise monitoring the effectiveness of 

6 the existing safeguards. 

7 (4) A process for determining if personal infor- 

8 mation is no longer needed and disposing of personal 

9 information by shredding, permanently erasing, or 

10 otherwise modifying the medium on which such per¬ 
il sonal information is maintained to make such per- 

12 sonal information permanently unreadable or indeci- 

13 plierable. 

14 (5) A process for overseeing persons who have 

15 access to personal information, including through 

16 network-connected devices. 

17 (6) A process for employee training and super- 

18 vision for implementation of the policies, practices, 

19 and procedures required by this section. 

20 (7) A written plan or protocol for internal and 

21 public response in the event of a data breach or data 

22 sharing abuse. 

23 (d) Regulations. —The Director, in consultation 

24 with the National Institute of Standards and Technology, 

25 shall promulgate regulations to implement this section. 
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1 (e) S mal l Businesses Assistance. —The Director, 

2 in consultation with the National Institute of Standards 

3 and Technology, the Small Business Association, and 

4 small businesses, shall develop policy templates, toolkits, 

5 tip sheets, configuration guidelines for commonly used 

6 hardware and software, interactive tools, and other mate- 

7 rials to assist small businesses with complying with this 

8 section. 

9 SEC. 215. NOTIFICATION OF DATA BREACH OR DATA SHAR- 

10 ING ABUSE. 

11 (a) Notification of Agency.— 

12 (1) In general. —In the case of a data breach 

13 or data sharing abuse with respect to personal infor- 

14 mation maintained by a covered entity, such covered 

15 entity shall, without undue delay and, if feasible, not 

16 later than 72 hours after becoming aware of such 

17 data breach or data sharing abuse, notify the Direc- 

18 tor of such data breach or data sharing abuse, un- 

19 less such data breach or data sharing abuse is un- 

20 likely to create or increase foreseeable privacy 

21 harms. 

22 (2) Reasons for delay. —If the notification 

23 required by paragraph (1) is made more than 72 

24 hours after the covered entity becomes aware of the 

25 data breach or data sharing abuse, such notification 
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1 shall be accompanied by a statement of the reasons 

2 for the delay. 

3 (b) Notification of Other Covered Entity.— 

4 In the case of a data breach or data sharing abuse with 

5 respect to personal information maintained by a covered 

6 entity that such covered entity obtained from another cov- 

7 ered entity, the covered entity experiencing such data 

8 breach or data sharing abuse shall, without undue delay 

9 and, if feasible, not later than 72 hours after becoming 

10 aware of such data breach or data sharing abuse, notify 

11 such other covered entity of such data breach or data 

12 sharing abuse, unless such data breach or data sharing 

13 abuse is unlikely to create or increase foreseeable privacy 

14 harms. A covered entity receiving notice under this sub- 

15 section of a data breach or data sharing abuse shall notify 

16 any other covered entity from which the covered entity re- 

17 ceiving notice obtained personal information involved in 

18 such data breach or data sharing abuse, in the same man- 

19 ner as required under the preceding sentence for the cov- 

20 ered entity experiencing such data breach or data sharing 

21 abuse. 

22 (c) Notification of Individuals. — 

23 (1) In general. —In the case of a data breach 

24 or data sharing abuse with respect to personal infor- 

25 mation maintained by a covered entity (or a data 
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breach or data sharing abuse about which a covered 
entity is notified under subsection (b)), if such cov¬ 
ered entity has a relationship with an individual 
whose personal information was involved or poten¬ 
tially involved in such data breach or data sharing 
abuse, such covered entity shall notify such indi¬ 
vidual of such data breach or data sharing abuse not 
later than 14 days after becoming aware of such 
data breach or data sharing abuse (or, in the case 
of a data breach or data sharing abuse about which 
a covered entity is notified under subsection (b), not 
later than 14 days after being so notified), if such 
data breach or data sharing abuse creates or in¬ 
creases foreseeable privacy harms. 

(2) Medium of notification.— A covered en¬ 
tity shall notify an individual as required by para¬ 
graph (1) through— 

(A) the same medium through which such 
individual routinely interacts with such covered 
entity; and 

(B) one additional medium of notification, 
if such covered entity has the personal informa¬ 
tion necessary to make a notification through 
such an additional medium without causing ex¬ 
cessive financial burden for such covered entity. 
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1 (d) Rule of Construction. —This section shall not 

2 apply to a covered entity if a person uses personal infor- 

3 mation obtained from a data breach or data sharing abuse 

4 not involving such covered entity. 

5 TITLE III—UNITED STATES 

6 DIGITAL PRIVACY AGENCY 

7 SEC. 301. ESTABLISHMENT. 

8 (a) Agency Est ab lished. —There is established an 

9 independent agency in the executive branch to be known 

10 as the “United States Digital Privacy Agency”, which 

11 shall implement and enforce this Act. 

12 (b) Director and Deputy Director. — 

13 (1) In general. —There is established the po- 

14 sition of the Director, who shall serve as the head 

15 of the Agency. 

16 (2) Appointment. —Subject to paragraph (3), 

17 the Director shall be appointed by the President, by 

18 and with the advice and consent of the Senate. 

19 (3) Qualification. —The President shall 

20 nominate the Director from among individuals who 

21 are citizens of the United States. 

22 (4) Deputy director. —There is established 

23 the position of Deputy Director, who shall— 

24 (A) be appointed by the Director; and 
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1 (B) serve as acting Director in the absence 

2 or unavailability of the Director. 

3 (c) Term.— 

4 (1) In general. —The Director shall serve for 

5 a term of 5 years. 

6 (2) Expiration of term. —-An individual may 

7 serve as Director after the expiration of the term for 

8 which appointed, until a successor has been ap- 

9 pointed and qualified. 

10 (3) Removal for cause. —The President may 

11 remove the Director for inefficiency, neglect of duty, 

12 or malfeasance in office. 

13 (d) Service Restriction. —No Director or Deputy 

14 Director may hold any office, position, or employment in 

15 any covered entity during the period of service of such per- 

16 son as Director or Deputy Director. 

17 (e) Offices. —The Director shall establish a prin- 

18 cipal office and field offices of the Agency in locations that 

19 have high levels of activity by covered entities, as deter- 

20 mined by the Director. 

21 (f) Compensation. — 

22 (1) In general. —The Director shall be com- 

23 pensated at the rate prescribed for level II of the 

24 Executive Schedule under section 5313 of title 5, 

25 United States Code. 
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1 (2) Conforming amendment. —Section 5313 

2 of title 5, United States Code, is amended by insert- 

3 ing after the item relating to “Federal Transit Ad- 

4 ministrator.” the following new item: “Director of 

5 the United States Digital Privacy Agency.”. 

6 SEC. 302. EXECUTIVE AND ADMINISTRATIVE POWERS. 

7 (a) Powers of the Agency. —The Director is au- 

8 thorized to establish the general policies of the Agency 

9 with respect to all executive and administrative functions, 

10 including— 

11 (1) the establishment of rules for conducting 

12 the general business of the Agency, in a manner not 

13 inconsistent with this Act; 

14 (2) to bind the Agency and enter into contracts; 

15 (3) directing the establishment and mainte- 

16 nance of divisions or other offices within the Agency, 

17 in order to carry out the responsibilities of the Agen- 

18 cy under this Act, and to satisfy the requirements of 

19 other applicable law; 

20 (4) to coordinate and oversee the operation of 

21 all administrative, enforcement, and research activi- 

22 ties of the Agency; 

23 (5) to adopt and use a seal; 
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1 (6) to determine the character of and the neces- 

2 sity for the obligations and expenditures of the 

3 Agency; 

4 (7) the appointment and supervision of per- 

5 son n el employed by the Agency; 

6 (8) the distribution of business among per- 

7 sonnel appointed and supervised by the Director and 

8 among administrative units of the Agency; 

9 (9) the use and expenditure of funds; 

10 (10) implementing this Act through rules, or- 

11 ders, guidance, interpretations, statements of policy, 

12 investigations, and enforcement actions; and 

13 (11) performing such other functions as may be 

14 authorized or required by law. 

15 (b) Delegation of Authority. —The Director 

16 may delegate to any duly authorized employee, representa- 

17 tive, or agent any power vested in the Director or the 

18 Agency by law, except that the Director may not delegate 

19 the power to appoint the Deputy Director under section 

20 301(b)(4)(A). 

21 (c) Autonomy of Agency Regarding Rec- 

22 ommendations and Testimony. —No officer or agency 

23 of the United States shall have any authority to require 

24 the Director or any other officer of the Agency to submit 

25 legislative recommendations, or testimony or comments on 
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1 legislation, to any officer or agency of the United States 

2 for approval, comments, or review prior to the submission 

3 of snch recommendations, testimony, or comments to the 

4 Congress, if sncli recommendations, testimony, or com- 

5 ments to the Congress include a statement indicating that 

6 the views expressed therein are those of the Director or 

7 snch officer, and do not necessarily reflect the views of 

8 the President. 

9 SEC. 303. RULEMAKING AUTHORITY. 

10 The Director may prescribe rules and issue orders 

11 and guidance, as may be necessaiy or appropriate to en- 

12 able the Agency to administer and carry out the purposes 

13 and objectives of this Act, and to prevent evasions thereof. 

14 SEC. 304. PERSONNEL. 

15 (a) Appointment. — 

16 (1) In general. —The Director may fix the 

17 number of, and appoint and direct, all employees of 

18 the Agency, in accordance with the applicable provi- 

19 sions of title 5, United States Code. 

20 (2) Employees of the agency. —The Direc- 

21 tor is authorized to employ technologists, designers, 

22 attorneys, investigators, economists, and other em- 

23 ployees as the Director considers necessaiy to con- 

24 duct the business of the Agency. 

25 (b) Agency Ombudsman.— 
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1 (1) Establishment required. —The Director 

2 shall appoint an ombudsman. 

3 (2) Duties of ombudsman. —The ombudsman 

4 appointed in accordance with paragraph (1) shall— 

5 (A) act as a liaison between the Agency 

6 and any affected person with respect to any 

7 problem that sncli person may have in dealing 

8 with the Agency, resulting from the regulatory 

9 activities of the Agency; and 

10 (B) assure that safeguards exist to encour- 

11 age complainants to come forward and preserve 

12 confidentiality. 

13 SEC. 305. COMPLAINTS OF INDIVIDUALS. 

14 (a) In General. —The Director shall establish a unit 

15 within the Agency the functions of which shall include es- 

16 tablisliing a single, toll-free telephone number, a website, 

17 and a database or utilizing an existing database to facili- 

18 tate the centralized collection of, monitoring of, and re- 

19 sponse to complaints of individuals regarding the privacy 

20 or security of personal information. The Director shall co- 

21 ordinate with other Federal agencies with jurisdiction over 

22 the privacy or security of personal information to route 

23 complaints to such agencies, where appropriate. 

24 (b) Routing Complaints to States. —To the ex- 

25 tent practicable, State agencies may receive appropriate 
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1 complaints from the systems established under subsection 

2 (a), if— 

3 (1) the State agency system has the functional 

4 capacity to receive calls or electronic reports routed 

5 by the Agency systems; 

6 (2) the State agency has satisfied any condi - 

7 tions of participation in the system that the Agency 

8 may establish, including treatment of personal infor- 

9 mation and sharing of information on complaint res- 

10 olution or related compliance procedures and re- 

11 sources; and 

12 (3) participation by the State agency includes 

13 measures necessary to provide for protection of per- 

14 sonal information that conform to the standards for 

15 protection of the confidentiality of personal informa- 

16 tion and for data integrity and security that apply 

17 to Federal agencies. 

18 (c) Data Sharing Required. —To facilitate inclu- 

19 sion in the reports required by section 310 of the matters 

20 regarding complaints of individuals required by subsection 

21 (b)(4) of such section to be included in such reports, inves- 

22 tigation and enforcement activities, and monitoring of the 

23 privacy and security of personal information, the Agency 

24 shall share information about complaints of individuals 

25 with Federal and State agencies that have jurisdiction 
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1 over the privacy or security of personal information and 

2 State attorneys general, subject to the standards applica- 

3 ble to Federal agencies for protection of the confidentiality 

4 of personal information and for data security and integ- 

5 rity. Other Federal agencies that have jurisdiction over the 

6 privacy or security of personal information shall share 

7 data relating to complaints of individuals regarding the 

8 privacy or security of personal information with the Agen- 

9 cy, subject to the standards applicable to Federal agencies 

10 for protection of confidentiality of personal information 

11 and for data security and integrity. 

12 SEC. 306. USER ADVISORY BOARD. 

13 (a) Establishment Required. —The Director shall 

14 establish a User Advisory Board to advise and consult 

15 with the Agency in the exercise of its functions under this 

16 Act, and to provide information on emerging practices re- 

17 lating to the treatment of personal information by covered 

18 entities, including regional trends, concerns, and other rel- 

19 evant information. 

20 (b) Membership. —In appointing the members of 

21 the User Advisory Board, the Director shall seek to assem- 

22 ble experts in consumer protection, privacy, civil rights, 

23 and ethics, and seek representation of the interests of indi- 

24 viduals who use products or services provided by covered 

25 entities, without regard to party affiliation. 
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1 (c) Meetings.—T he User Advisory Board shall meet 

2 from time to time at the call of the Director, but, at a 

3 minimum, shall meet at least twice in each year. 

4 (d) Compensation and Travel Expenses. —Mem- 

5 bers of the User Advisoiy Board who are not full-time em- 

6 ployees of the United States shall— 

7 (1) be entitled to receive compensation at a rate 

8 fix ed by the Director while attending meetings of the 

9 User Advisoiy Board, including travel time; and 

10 (2) receive travel expenses, including per diem 

11 in lieu of subsistence, in accordance with applicable 

12 provisions under subchapter I of chapter 57 of title 

13 5, United States Code. 

14 SEC. 307. ACADEMIC AND RESEARCH ADVISORY BOARD. 

15 (a) Establishment Required. —The Director shall 

16 establish an Academic and Research Advisoiy Board to 

17 advise and consult with the Agency in the exercise of its 

18 functions under this Act, and to provide information on 

19 emerging practices relating to the treatment of personal 

20 information by covered entities, including regional trends, 

21 concerns, and other relevant information. 

22 (b) Membership. —In appointing the members of 

23 the Academic and Research Advisoiy Board, the Director 

24 shall seek to assemble individuals with academic and re- 

25 search expertise in privacy, cybersecurity, computer 
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1 science, innovation, economics, law, and public policy, 

2 without regard to party affiliation. 

3 (c) Meetings. —The Academic and Research Advi- 

4 soiy Board shall meet from time to time at the call of 

5 the Director, but, at a minimum, shall meet at least twice 

6 in each year. 

7 (d) Compensation and Travel Expenses. —Mem- 

8 bers of the Academic and Research Advisoiy Board who 

9 are not full-time employees of the United States shall— 

10 (1) be entitled to receive compensation at a rate 

11 fix ed by the Director while attending meetings of the 

12 Academic and Research Advisoiy Board, including 

13 travel time; and 

14 (2) receive travel expenses, including per diem 

15 in lieu of subsistence, in accordance with applicable 

16 provisions under subchapter I of chapter 57 of title 

17 5, United States Code. 

18 SEC. 308. SMALL BUSINESS AND INVESTOR ADVISORY 

19 BOARD. 

20 (a) Establishment Required. —The Director shall 

21 establish a Small Business and Investor Advisoiy Board 

22 to advise and consult with the Agency in the exercise of 

23 its functions under this Act, and to provide information 

24 on emerging practices relating to the treatment of per- 
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1 sonal information by covered entities, including regional 

2 trends, concerns, and other relevant information. 

3 (b) Membership.—I n appointing the members of 

4 the Small Business and Investor Advisory Board, the Di- 

5 rector shall seek to assemble representatives of small busi- 

6 nesses and investors in small businesses, without regard 

7 to party affiliation. 

8 (c) Meetings. —The Small Business and Investor 

9 Advisory Board shall meet from time to time at the call 

10 of the Director, but, at a minimum, shall meet at least 

11 twice in each year. 

12 (d) Compensation and Travel Expenses.—M em- 

13 bers of the Small Business and Investor Advisory Board 

14 who are not full-time employees of the United States 

15 shall— 

16 (1) be entitled to receive compensation at a rate 

17 fix ed by the Director while attending meetings of the 

18 Small Business and Investor Advisoiy Board, includ- 

19 ing travel time; and 

20 (2) receive travel expenses, including per diem 

21 in lieu of subsistence, in accordance with applicable 

22 provisions under subchapter I of chapter 57 of title 

23 5, United States Code. 
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1 SEC. 309. CONSULTATION. 

2 Tlie Director shall consult with Federal and State 

3 agencies that have jurisdiction over the privacy or security 

4 of personal information, State attorneys general, inter- 

5 national and intergovernmental bodies that conduct activi- 

6 ties relating to the privacy or security of personal informa - 

7 tion, and agencies of other countries that are similar to 

8 the Agency, as appropriate, to promote consistent regu- 

9 latory treatment of the activities of covered entities relat- 

10 ing to the privacy or security of personal information. 

11 SEC. 310. REPORTS. 

12 (a) Reports Required. —Not later than 6 months 

13 after the date of the enactment of this Act, and eveiy 6 

14 months thereafter, the Director shall submit a report to 

15 the President and to the Committee on Energy and Com- 

16 merce, the Committee on the Judiciary, and the Com- 

17 mittee on Appropriations of the House of Representatives 

18 and the Committee on Commerce, Science, and Transpor- 

19 tation, the Committee on the Judiciary, and the Com- 

20 mittee on Appropriations of the Senate, and shall publish 

21 such report on the website of the Agency. 

22 (b) Contents. —Each report required by subsection 

23 (a) shall include— 

24 (1) a discussion of the significant problems 

25 faced by individuals with respect to the privacy or 

26 security of personal information; 
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1 (2) a justification of the budget request of the 

2 Agency for the preceding year, unless a justification 

3 for such year was included in the preceding report 

4 submitted under such subsection; 

5 (3) a list of the significant rules and orders 

6 adopted by the Agency, as well as other significant 

7 initiatives conducted by the Agency, during the pre- 

8 ceding 6-month period and the plan of the Agency 

9 for rales, orders, or other initiatives to be under- 

10 taken during the upcoming 6-month period; 

11 (4) an analysis of complaints about the privacy 

12 or security of personal information that the Agency 

13 has received and collected in the database described 

14 in section 305(a) during the preceding 6-month pe- 

15 riod; 

16 (5) a list, with a brief statement of the issues, 

17 of the public enforcement actions to which the Agen- 

18 cy was a party during the preceding 6-month period; 

19 and 

20 (6) an assessment of significant actions by 

21 State attorneys general or State agencies relating to 

22 this Act or the rules prescribed under this Act dur- 

23 ing the preceding 6-month period. 
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1 SEC. 311. GRANTS FOR DEVELOPING OPEN-SOURCE MA- 

2 CHINE LEARNING TRAINING DATA. 

3 Tlie Director shall establish an Open-Source Machine 

4 Learning Training Data Program and make grants 

5 through the program to support the development of open- 

6 source, voluntarily disclosed, personal information data 

7 sets to be used for the training or development of machine 

8 learning and artificial intelligence algorithms. The Direc- 

9 tor shall promulgate regulations to implement the Pro- 

10 gram and to consider any such data sets are in compliance 

11 with this Act balancing any intrusion on the privacy of, 

12 potential privacy harms to, and reasonable expectations of 

13 individuals to whom the personal information relates. 

14 SEC. 312. ANNUAL AUDITS. 

15 The Director shall order an annual independent audit 

16 of the operations and budget of the Agency. 

17 SEC. 313. INSPECTOR GENERAL. 

18 Section 12 of the Inspector General Act of 1978 (5 

19 U.S.C. App.) is amended— 

20 (1) in paragraph (1), by inserting the “Director 

21 of the Digital Privacy Agency;” after “the President 

22 of the Export-Import Bank;”; and 

23 (2) in paragraph (2), by inserting “the Digital 

24 Privacy Agency,” after “the Export-Import Bank,”. 
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1 SEC. 314. AUTHORIZATION OF APPROPRIATIONS. 

2 There are authorized to be appropriated to the Direc- 

3 tor to carry out this Act $550,000,000 for each of the 

4 fiscal years 2020, 2021, 2022, 2023, and 2024. 

5 TITLE IV—ENFORCEMENT 

6 SEC. 401. DEFINITIONS. 

7 In this title: 

8 (1) Agency investigator. —The term “Agen- 

9 cy investigator” means any attorney or investigator 

10 employed by the Agency who is charged with the 

11 duty of enforcing or carrying into effect any provi- 

12 si on of this Act or a rule or order prescribed under 

13 this Act. 

14 (2) Attorney general. —The term “attorney 

15 general” means, with respect to a State, the attor- 

16 ney general or chief law enforcement officer of the 

17 State, or another official or agency designated by 

18 the State to bring civil actions on behalf of the State 

19 or the residents of the State. 

20 (3) Custodian.—T he term “custodian” means 

21 the custodian or any deputy custodian designated by 

22 the Agency. 

23 (4) Documentary material.—T he term 

24 “documentary material” includes the original or any 

25 copy of any book, document, record, report, memo- 

26 randum, paper, communication, tabulation, chart, 
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1 logs, electronic files, or other data or data compila- 

2 tions stored in any medium. 

3 (5) Violation. —The term “violation” means 

4 any act or omission that, if proved, would constitute 

5 a violation of any provision of this Act or a rale or 

6 order prescribed under this Act. 

7 (6) Non-public information. —The term 

8 “non-public information” means information that 

9 has not been disclosed in a criminal, civil, or admin- 

10 istrative proceeding, in a government investigation, 

11 report, or audit, or by the news media or other pub- 

12 lie source of information, and that was not obtained 

13 in violation of the law. 

14 SEC. 402. INVESTIGATIONS AND ADMINISTRATIVE DIS- 

15 COVERY. 

16 (a) Joint Investigations. —The Agency or, where 

17 appropriate, an Agency investigator, may conduct inves- 

18 tigations and make requests for information, as authorized 

19 under this Act, on a joint basis with another agency (as 

20 defined in section 551 of title 5, United States Code). 

21 (b) Subpoenas. — 

22 (1) In general. —The Agency or an Agency 

23 investigator may issue subpoenas for the attendance 

24 and testimony of witnesses and the production of 
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1 relevant papers, books, documents, or other material 

2 in connection with hearings under this Act. 

3 (2) F ail ure to obey. —In the case of contu- 

4 macy or refusal to obey a subpoena issued pursuant 

5 to this subsection and served upon any person, the 

6 district court of the United States for any district in 

7 which such person is found, resides, or transacts 

8 business, upon application by the Agency or an 

9 Agency investigator and after notice to such person, 

10 may issue an order requiring such person to appear 

11 and give testimony or to appear and produce clocu- 

12 ments or other material. 

13 (3) Contempt. —Any failure to obey an order 

14 of the court under paragraph (2) may be punished 

15 by the court as a contempt thereof. 

16 (c) Demands.— 

17 (1) In general. —Whenever the Agency has 

18 reason to believe that any person may be in posses- 

19 sion, custody, or control of any documentary mate- 

20 rial or tangible things, or may have any information, 

21 relevant to a violation, the Agency may, before the 

22 institution of any proceedings under this Act, issue 

23 in writing, and cause to be served upon such person, 

24 a civil investigative demand requiring such person 

25 to— 
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(A) produce such documentary material for 
inspection and copying or reproduction in the 
form or medium requested by the Agency; 

(B) submit such tangible things; 

(C) file written reports or answers to ques¬ 
tions; 

(D) give oral testimony concerning docu¬ 
mentary material, tangible things, or other in¬ 
formation; or 

(E) furnish any combination of such mate¬ 
rial, answers, or testimony. 

(2) Requirements. —Each civil investigative 
demand shall state the nature of the conduct consti¬ 
tuting the alleged violation which is under investiga¬ 
tion and the provision of law applicable to such vio¬ 
lation. 

(3) Production of documents. —Each civil 
investigative demand for the production of documen¬ 
tary material shall— 

(A) describe each class of documentary 
material to be produced under the demand with 
such definiteness and certainty as to permit 
such material to be fairly identified; 

(B) prescribe a return date or dates which 
will provide a reasonable period of time within 
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which the material so demanded may be assem¬ 
bled and made available for inspection and 
copying or reproduction; and 

(C) identify the custodian to whom such 
material shall be made available. 

(4) Production of things.— Each civil inves¬ 
tigative demand for the submission of tangible 
things shall— 

(A) describe each class of tangible things 
to be submitted under the demand with such 
definiteness and certainty as to permit such 
things to be fairly identified; 

(B) prescribe a return date or dates which 
will provide a reasonable period of time within 
which the things so demanded may be assem¬ 
bled and submitted; and 

(C) identify the custodian to whom such 
things shall be submitted. 

(5) Demand for written reports or an¬ 
swers. —Each civil investigative demand for written 
reports or answers to questions shall— 

(A) propound with definiteness and cer¬ 
tainty the reports to be produced or the ques¬ 
tions to be answered; 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16VESHOO\ESHOO_038.XML 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


95 

(B) prescribe a elate or dates at which time 
written reports or answers to questions shall be 
submitted; and 

(C) identify the custodian to whom snch 
reports or answers shall be submitted. 

(6) Oral testimony.— Each civil investigative 
demand for the giving of oral testimony shall— 

(A) prescribe a date, time, and place at 
which oral testimony shall be commenced; and 

(B) identify an Agency investigator who 
shall conduct the investigation and the custo¬ 
dian to whom the transcript of snch investiga¬ 
tion shall be submitted. 

(7) Service. —-Any civil investigative demand 
issued, and any enforcement petition filed, under 
this section may be served— 

(A) by any Agency investigator at any 
place within the territorial jurisdiction of any 
court of the United States; and 

(B) upon any person who is not found 
within the territorial jurisdiction of any court of 
the United States— 

(i) in such manner as the Federal 

Buies of Civil Procedure prescribe for serv¬ 
ice in a foreign nation; and 


g:\VHLC\102919\102919.121 .xml (739203128) 

October 29, 2019 (12:16 p.m.) 



G:\M\16VESHOO\ESHOO_038.XML 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


96 

(ii) to the extent that the courts of 
the United States have authority to assert 
jurisdiction over such person, consistent 
with due process, the United States Dis¬ 
trict Court for the District of Columbia 
shall have the same jurisdiction to take 
any action respecting compliance with this 
section by such person that such district 
court would have if such person were per¬ 
sonally within the jurisdiction of such dis¬ 
trict court. 

(8) Method of service.— Service of any civil 
investigative demand or any enforcement petition 
filed under this section may be made upon a person 

by— 

(A) delivering a duly executed copy of such 
demand or petition to the individual or to any 
partner, executive officer, managing agent, or 
general agent of such person, or to any agent 
of such person authorized by appointment or by 
law to receive service of process on behalf of 
such person; 

(B) delivering a duly executed copy of such 
demand or petition to the principal office or 
place of business of the person to be served; or 
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1 (C) depositing a duly executed copy in the 

2 United States mails, by registered or certified 

3 mail, return receipt requested, duly addressed 

4 to such person at the principal office or place 

5 of business of such person. 

6 (9) Proof of service.— 

7 (A) In general.— A verified return by the 

8 individual serving any civil investigative demand 

9 or any enforcement petition filed under this sec- 

10 tion setting forth the manner of such service 

11 shall be proof of such service. 

12 (B) Return receipts. —In the case of 

13 service by registered or certified mail, such re- 

14 turn shall be accompanied by the return post 

15 office receipt of delivery of such demand or en- 

16 forcement petition. 

17 (10) Production of documentary mate- 

18 rial. —The production of documentary material in 

19 response to a civil investigative demand shall be 

20 made under a sworn certificate, in such form as the 

21 demand designates, by the person, if a natural per- 

22 son, to whom the demand is directed or, if not a 

23 natural person, by any person having knowledge of 

24 the facts and circumstances relating to such produc- 

25 tion, to the effect that all of the documentary mate- 
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1 rial required by the demand and in the possession, 

2 custody, or control of the person to whom the cle- 

3 mand is directed has been produced and made avail- 

4 able to the custodian. 

5 (11) Submission of tangible things. —The 

6 submission of tangible things in response to a civil 

7 investigative demand shall be made under a sworn 

8 certificate, in such form as the demand designates, 

9 by the person to whom the demand is directed or, 

10 if not a natural person, by any person having knowl- 

11 edge of the facts and circumstances relating to such 

12 production, to the effect that all of the tangible 

13 things required by the demand and in the posses- 

14 sion, custody, or control of the person to whom the 

15 demand is directed have been submitted to the cus- 

16 todian. 

17 (12) Separate answers. —Each reporting re- 

18 quirement or question in a civil investigative demand 

19 shall be answered separately and fully in writing 

20 under oath, unless it is objected to, in which event 

21 the reasons for the objection shall be stated in lieu 

22 of an answer, and it shall be submitted under a 

23 sworn certificate, in such form as the demand cles- 

24 ignates, by the person, if a natural person, to whom 

25 the demand is directed or, if not a natural person, 
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by any person responsible for answering each report¬ 
ing requirement or question, to the effect that all in¬ 
formation required by the demand and in the posses¬ 
sion, custody, control, or knowledge of the person to 
whom the demand is directed has been submitted. 
(13) Testimony.— 

(A) In general.— 

(i) Oath and recordation. —The 
examination of any person pursuant to a 
demand for oral testimony served under 
this subsection shall be taken before an of¬ 
ficer authorized to administer oaths and 
affirmations by the laws of the United 
States or of the place at which the exam¬ 
ination is held. The officer before whom 
oral testimony is to be taken shall put the 
witness on oath or affirmation and shall 
personally, or by any individual acting 
under the direction of and in the presence 
of the officer, record the testimony of the 
witness. 

(ii) Transcription. —The testimony 
shall be taken stenograpliically and tran¬ 
scribed. 
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(B) Parties present. —-Any Agency in¬ 
vestigator before whom oral testimony is to be 
taken shall exclude from the place where the 
testimony is to be taken all other persons, ex¬ 
cept the person giving the testimony, the attor¬ 
ney for that person, the officer before whom the 
testimony is to be taken, an investigator or rep¬ 
resentative of an agency with which the Agency 
is engaged in a joint investigation, and any ste¬ 
nographer taking snch testimony. 

(C) Location. —The oral testimony of any 
person taken pursuant to a civil investigative 
demand shall be taken in the judicial district of 
the United States in which sncli person resides, 
is found, or transacts business, or in such other 
place as may be agreed upon by the Agency in¬ 
vestigator before whom the oral testimony of 
such person is to be taken and such person. 

(D) Attorney representation.— 

(i) In general. —Any person com¬ 
pelled to appear under a civil investigative 
demand for oral testimony pursuant to this 
subsection may be accompanied, rep¬ 
resented, and advised by an attorney. 
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(ii) Authority. —Tlie attorney may 
advise a person described in clause (i), in 
confidence, either upon the request of such 
person or upon the initiative of the attor¬ 
ney, with respect to any question asked of 
such person. 

(iii) Objections. —A person de¬ 
scribed in clause (i), or the attorney for 
that person, may object on the record to 
any question, in whole or in part, and such 
person shall briefly state for the record the 
reason for the objection. An objection may 
properly be made, received, and entered 
upon the record when it is claimed that 
such person is entitled to refuse to answer 
the question on grounds of any constitu¬ 
tional or other legal right or privilege, in¬ 
cluding the privilege against self-incrimina- 
tion, but such person shall not otherwise 
object to or refuse to answer any question, 
and such person or attorney shall not oth¬ 
erwise interrupt the oral examination. 

(iv) Refusal to ANSttrER. —If a per¬ 
son described in clause (i) refuses to an¬ 
swer any question— 
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(I) the Agency may petition the 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


district court of the United States 
pursuant to this section for an order 
compelling sncli person to answer 
sncli question; and 

(II) if the refusal is on grounds 
of the privilege against self-incrimina¬ 
tion, the testimony of such person 
may be compelled in accordance with 
the provisions of section 6004 of title 
18, United States Code. 

(E) Transcripts.— For purposes of this 
subsection— 

(i) after the testimony of any witness 
is fully transcribed, the Agency investi¬ 
gator shall afford the witness (who may be 
accompanied by an attorney) a reasonable 
opportunity to examine the transcript; 

(ii) the transcript shall be read to or 
by the witness, unless such examination 
and reading are waived by the witness; 

(iii) any changes in form or substance 
which the witness desires to make shall be 
entered and identified upon the transcript 
by the Agency investigator, with a state- 
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ment of the reasons given by the witness 
for making sncli changes; 

(iv) the transcript shall be signed by 
the witness, unless the witness in writing 
waives the signing, is ill, cannot be found, 
or refuses to sign; and 

(v) if the transcript is not signed by 
the witness during the 30-day period fol¬ 
lowing the date on which the witness is 
first afforded a reasonable opportunity to 
examine the transcript, the Agency investi¬ 
gator shall sign the transcript and state on 
the record the fact of the waiver, illness, 
absence of the witness, or the refusal to 
sign, together with any reasons given for 
the failure to sign. 

(F) Certification by investigator.— 
The Agency investigator shall certify on the 
transcript that the witness was duly sworn by 
him or her and that the transcript is a true 
record of the testimony given by the witness, 
and the Agency investigator shall promptly de¬ 
liver the transcript or send it by registered or 
certified mail to the custodian. 
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1 (G) Copy of transcript. —The Agency 

2 investigator shall furnish a copy of the tran- 

3 script (upon payment of reasonable charges for 

4 the transcript) to the witness only, except that 

5 the Agency may for good cause limit such wit- 

6 ness to inspection of the official transcript of 

7 his testimony. 

8 (H) Witness fees. —-Any witness appear- 

9 ing for the taking of oral testimony pursuant to 

10 a civil investigative demand shall be entitled to 

11 the same fees and mileage which are paid to 

12 witnesses in the district courts of the United 

13 States. 

14 (d) Confidential Treatment of Demand Mate- 

15 rial.— 

16 (1) In general. —Documentary materials and 

17 tangible things received as a result of a civil inves- 

18 tigative demand shall be subject to requirements and 

19 procedures regarding confidentiality, in accordance 

20 with rules established by the Agency. 

21 (2) Disclosure to congress. —No rale es- 

22 tablislied by the Agency regarding the confidentiality 

23 of materials submitted to, or otherwise obtained by, 

24 the Agency shall be intended to prevent disclosure to 

25 either House of Congress or to an appropriate com- 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16\ESHOO\ESHOO_038.XML 

105 

1 mittee of the Congress, except that the Agency is 

2 permitted to adopt rules allowing prior notice to any 

3 party that owns or otherwise provided the material 

4 to the Agency and had designated snch material as 

5 confidential. 

6 (e) Petition for Enforcement.— 

7 (1) In general. —-Whenever any person fails 

8 to comply with any civil investigative demand duly 

9 served upon him under this section, or whenever sat- 

10 isfactoiy copying or reproduction of material re- 

11 quested pursuant to the demand cannot be accom- 

12 plislied and such person refuses to surrender such 

13 material, the Agency, through such officers or attor- 

14 neys as it may designate, may file, in the district 

15 court of the United States for any judicial district 

16 in which such person resides, is found, or transacts 

17 business, and serve upon such person, a petition for 

18 an order of such court for the enforcement of this 

19 section. 

20 (2) Service of process. —-All process of any 

21 court to which application may be made as provided 

22 in this subsection may be served in any judicial dis- 

23 trict. 

24 (f) Petition for Order Modifying or Setting 

25 Aside Demand.— 
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1 (1) In general. —Not later than 20 days after 

2 the service of any civil investigative demand upon 

3 any person under subsection (c), or at any time be- 

4 fore the return date specified in the demand, which- 

5 ever period is shorter, or within such period exceed- 

6 ing 20 days after service or in excess of such return 

7 date as may be prescribed in writing, subsequent to 

8 service, by any Agency investigator named in the de- 

9 mand, such person may file with the Agency a peti- 

10 tion for an order by the Agency modifying or setting 

11 aside the demand. 

12 (2) Compliance during pendency. —The 

13 time permitted for compliance with the demand in 

14 whole or in part, as determined proper and ordered 

15 by the Agency, shall not run during the pendency of 

16 a petition under paragraph (1) at the Agency, except 

17 that such person shall comply with any portions of 

18 the demand not sought to be modified or set aside. 

19 (3) Specific grounds. —A petition under 

20 paragraph (1) shall specify each ground upon which 

21 the petitioner relies in seeking relief, and may be 

22 based upon any failure of the demand to comply 

23 with the provisions of this section, or upon any con- 

24 stitutional or other legal right or privilege of such 

25 person. 
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1 (g) Custodial Control. —At any time during 

2 which any custodian is in custody or control of any docu- 

3 mentary material, tangible things, reports, answers to 

4 questions, or transcripts of oral testimony given by any 

5 person in compliance with any civil investigative demand, 

6 such person may file, in the district court of the United 

7 States for the judicial district within which the office of 

8 such custodian is situated, and serve upon such custodian, 

9 a petition for an order of such court requiring the per- 

10 formance by such custodian of any duty imposed upon him 

11 by this section or rule promulgated by the Agency. 

12 (li) Jurisdiction op Court.— 

13 (1) In general.— -Whenever any petition is 

14 filed in any district court of the United States under 

15 this section, such court shall have jurisdiction to 

16 hear and determine the matter so presented, and to 

17 enter such order or orders as may be required to 

18 carry out the provisions of this section. 

19 ( 2 ) Appeal. —-Any final order entered as de- 

20 scribed in paragraph (1) shall be subject to appeal 

21 pursuant to section 1291 of title 28 , United States 

22 Code. 

23 SEC. 403. HEARINGS AND ADJUDICATION PROCEEDINGS. 

24 (a) In General. —The Agency is authorized to con- 

25 duct hearings and adjudication proceedings with respect 
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to any person in the manner prescribed by chapter 5 of 
title 5, United States Code, in order to ensure or enforce 
compliance with this Act and the rules prescribed under 
this Act. 

(b) Special Rules for Cease-and-desist Pro¬ 
ceedings.— 

(1) Orders authorized.— 

(A) In general. —If, in the opinion of the 
Agency, a person is engaging or has engaged in 
an act or omission that violates any provision of 
this Act or a rule or order prescribed under this 
Act, the Agency may issue and serve upon the 
person a notice of charges in respect thereof. 

(B) Content of notice. —The notice 
under subparagraph (A) shall contain a state¬ 
ment of the facts constituting the alleged viola¬ 
tion, and shall fix a time and place at which a 
hearing will be held to determine whether an 
order to cease and desist should issue against 
the person, such hearing to be held not earlier 
than 30 days nor later than 60 days after the 
date of sendee of such notice, unless an earlier 
or a later date is set by the Agency, at the re¬ 
quest of any person so served. 
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(C) Consent.— Unless a person served 
under subparagraph (B) appears at the hearing 
personally or by a duly authorized representa¬ 
tive, the person shall be deemed to have con¬ 
sented to the issuance of the cease-and-desist 
order. 

(D) Procedure.— In the event of consent 
under subparagraph (C), or if, upon the record 
made at any such hearing, the Agency finds 
that any violation specified in the notice of 
charges has been established, the Agency may 
issue and serve upon the person an order to 
cease and desist from the violation. Such order 
may, by provisions which may be mandatory or 
otherwise, require the person to cease and de¬ 
sist from the subject act or omission, and to 
take affirmative action to correct the conditions 
resulting from any such violation. 

(2) Effectiveness of order.— A cease-and- 
desist order shall become effective at the expiration 
of 30 days after the date of service of the order 
under paragraph (1)(D) (except in the case of a 
cease-and-desist order issued upon consent, which 
shall become effective at the time specified therein), 
and shall remain effective and enforceable as pro- 
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1 vided therein, except to such extent as the order is 

2 stayed, modified, terminated, or set aside by action 

3 of the Agency or a reviewing court. 

4 (3) Decision and appeal. —Any hearing pro- 

5 vided for in this subsection shall be held in the Fed- 

6 eral judicial district or in the territory in which the 

7 residence or principal office or place of business of 

8 the person is located unless the person consents to 

9 another place, and shall be conducted in accordance 

10 with the provisions of chapter 5 of title 5, United 

11 States Code. After such hearing, and not later than 

12 90 days after the Agency has notified each party to 

13 the proceeding that the case has been submitted to 

14 the Agency for final decision, the Agency shall 

15 render its decision (which shall include findings of 

16 fact upon which its decision is predicated) and shall 

17 issue and serve upon each such party an order or or- 

18 ders consistent with the provisions of this section. 

19 Judicial review of any such order shall be exclusively 

20 as provided in this subsection. Unless a petition for 

21 review is timely filed in a court of appeals of the 

22 United States, as provided in paragraph (4), and 

23 thereafter until the record in the proceeding has 

24 been filed as provided in paragraph (4), the Agency 

25 may at any time, upon such notice and in such man- 
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1 ner as the Agency shall determine proper, modify, 

2 terminate, or set aside any sncli order. Upon filing 

3 of the record as provided, the Agency may modify, 

4 terminate, or set aside any sncli order with permis- 

5 si on of the court. 

6 (4) Appeal to court of appeals.—A ny 

7 party to any proceeding under this subsection may 

8 obtain a review of any order served pursuant to this 

9 subsection (other than an order issued with the con- 

10 sent of the party) by filing in the court of appeals 

11 of the United States for the circuit in which the resi- 

12 dence or principal office or place of business of the 

13 party is located, or in the United States Court of 

14 Appeals for the District of Columbia Circuit, within 

15 30 days after the date of service of sncli order, a 

16 written petition praying that the order of the Agency 

17 be modified, terminated, or set aside. A copy of sncli 

18 petition shall be forthwith transmitted by the clerk 

19 of the court to the Agency, and thereupon the Agen- 

20 cy shall file in the court the record in the pro- 

21 ceeding, as provided in section 2112 of title 28, 

22 United States Code. Upon the filing of sncli petition, 

23 sncli court shall have jurisdiction, which upon the 

24 filing of the record shall, except as provided in the 

25 last sentence of paragraph (3), be exclusive, to af- 
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1 firm, modify, terminate, or set aside, in whole or in 

2 part, the order of the Agency. Review of sncli pro- 

3 ceedings shall be had as provided in chapter 7 of 

4 title 5, United States Code. The judgment and de- 

5 cree of the court shall be final, except that the same 

6 shall be subject to review by the Supreme Court of 

7 the United States, upon certiorari, as provided in 

8 section 1254 of title 28 , United States Code. 

9 ( 5 ) No STAY. —The commencement of pro- 

10 ceedings for judicial review under paragraph (4) 

11 shall not, unless specifically ordered by the court, 

12 operate as a stay of any order issued by the Agency. 

13 (c) Special Rules for Temporary Cease-and- 

14 desist Proceedings.— 

15 (1) In general. —-Whenever the Agency deter- 

16 mines that the violation specified in the notice of 

17 charges served upon a person pursuant to subsection 

18 (b), or the continuation thereof, is likely to cause the 

19 person to be insolvent or otherwise prejudice the in- 

20 terests of individuals before the completion of the 

21 proceedings conducted pursuant to subsection (b), 

22 the Agency may issue a temporary order requiring 

23 the person to cease and desist from any such viola- 

24 tion and to take affirmative action to prevent or 

25 remedy such insolvency or other condition pending 
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1 completion of sucli proceedings. Such order may in- 

2 elude any requirement authorized under this title. 

3 Such order shall become effective upon service upon 

4 the person and, unless set aside, limited, or sus- 

5 pended by a court in proceedings authorized by 

6 paragraph (2), shall remain effective and enforceable 

7 pending the completion of the administrative pro- 

8 ceedings pursuant to such notice and until such time 

9 as the Agency shall dismiss the charges specified in 

10 such notice, or if a cease-and-desist order is issued 

11 against the person, until the effective date of such 

12 order. 

13 (2) Appeal. —Not later than 10 days after a 

14 person has been served with a temporary cease-and- 

15 desist order, the person may apply to the United 

16 States district court for the judicial district in which 

17 the residence or principal office or place of business 

18 of the person is located, or the United States Dis- 

19 trict Court for the District of Columbia, for an in- 

20 junction setting aside, limiting, or suspending the 

21 enforcement, operation, or effectiveness of such 

22 order pending the completion of the administrative 

23 proceedings pursuant to the notice of charges served 

24 upon the person under subsection (b), and such 

25 court shall have jurisdiction to issue such injunction. 
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1 (d) Spec ial Rules for Enforcement of Or- 

2 ders.— 

3 (1) In general. —The Agency may in its dis- 

4 cretion apply to the United States district court 

5 within the jurisdiction of which the residence or 

6 principal office or place of business of a person is lo- 

7 cated, for the enforcement of any effective and ont- 

8 standing order issued under this section against 

9 snch person, and sncli court shall have jurisdiction 

10 and power to order and require compliance with 

11 snch order. 

12 (2) Exception. —Except as otherwise provided 

13 in this section, no court shall have jurisdiction to af- 

14 feet by injunction or otherwise the issuance or en- 

15 forcement of any order or to review, modify, sus- 

16 pend, terminate, or set aside any such order. 

17 (e) Rules. —The Agency shall prescribe rules estab- 

18 lisliing such procedures as may be necessary to carry out 

19 this section. 

20 SEC. 404. LITIGATION AUTHORITY. 

21 (a) In General.—I f a person violates any provision 

22 of this Act or a rale or order prescribed under this Act, 

23 the Agency may commence a civil action against such per- 

24 son to impose a civil penalty or to seek all appropriate 
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legal and equitable relief, including a permanent or tem¬ 
porary injunction. 

(b) Representation. —Except as provided in sub¬ 
section (e), the Agency may act in its own name and 
through its own attorneys in any action, suit, or other 
court proceeding to which the Agency is a party. 

(c) Compromise of Actions. —The Agency may 
compromise or settle any action, suit, or other court pro¬ 
ceeding to which the Agency is a party if such compromise 
is approved by the court. 

(d) Notice to the Attorney General.— 

(1) In general.— When commencing a civil 
action under subsection (a), the Agency shall notify 
the Attorney General. 

(2) Notice and coordination.— 

(A) Notice of other actions. —In addi¬ 
tion to any notice required under paragraph 
(1), the Agency shall notify the Attorney Gen¬ 
eral concerning any action, suit, or other court 
proceeding to which the Agency is a party. 

(B) Coordination. —In order to avoid 
conflicts and promote consistency regarding liti¬ 
gation of matters under Federal law, the Attor¬ 
ney General and the Agency shall consult re¬ 
garding the coordination of investigations and 
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1 proceedings, including by negotiating an agree- 

2 ment for coordination by not later than 180 

3 days after the effective date specified in section 

4 4(a). The agreement under this subparagraph 

5 shall include provisions to ensure that parallel 

6 investigations and proceedings involving this 

7 Act and the rules prescribed under this Act are 

8 conducted in a manner that avoids conflicts and 

9 does not impede the ability of the Attorney 

10 General to prosecute violations of Federal 

11 criminal laws. 

12 (C) Rule of construction. —Nothing in 

13 this paragraph shall be construed to limit the 

14 authority of the Agency under this Act, includ- 

15 ing the authority to interpret this Act. 

16 (e) Appearance Before the Supreme Court.— 

17 The Agency may represent itself in its own name before 

18 the Supreme Court of the United States, if the Agency 

19 makes a written request to the Attorney General within 

20 the 10-day period which begins on the date of entry of 

21 the judgment which would permit any party to file a peti- 

22 tion for writ of certiorari, and the Attorney General con- 

23 curs with such request or fails to take action within 60 

24 days of the request of the Agency. 
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1 (f) Forum.—A ny civil action brought under sub- 

2 section (a) may be brought in an appropriate district court 

3 of the United States or an appropriate State court. 

4 (g) Time for Bringing Action. —Except as other- 

5 wise permitted by law or equity, no action may be brought 

6 under subsection (a) more than 3 years after the date of 

7 discovery of the violation to which the action relates. 

8 SEC. 405. COORDINATION WITH OTHER FEDERAL AGEN- 

9 CIES. 

10 (a) Coordination. —-With respect to covered entities 

11 and service providers, to the extent that Federal law au- 

12 tliorizes the Agency and another Federal agency to enforce 

13 privacy laws, the other Federal agency shall coordinate 

14 with the Agency to promote consistent enforcement of this 

15 Act and other Federal privacy laws. 

16 (b) Referral. —Any Federal agency authorized to 

17 enforce a Federal privacy law described in section 501 

18 may recommend in writing to the Agency that the Agency 

19 initiate an enforcement proceeding, as the Agency is au- 

20 tliorized by that Federal law or by this Act. 

21 (c) Coordination With the Federal Trade 

22 Commission.— 

23 (1) In general. —The Agency and the Federal 

24 Trade Commission shall negotiate an agreement for 

25 coordinating with respect to enforcement actions by 
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each agency regarding the provision of a product or 
service offered by any covered entity. The agreement 
shall include procedures for notice to the other agen¬ 
cy, where feasible, prior to initiating a civil action to 
enforce any Federal law regarding the privacy of in¬ 
dividuals or security of personal information. 

(2) Civil actions. —-Whenever a civil action 
has been filed by, or on behalf of, the Agency or the 
Federal Trade Commission for any violation of any 
provision of Federal law described in paragraph (1), 
or any regulation prescribed under such provision of 
law— 

(A) the other agency may not, during the 
pendency of that action, institute a civil action 
under such provision of law against any defend¬ 
ant named in the complaint in such pending ac¬ 
tion for any violation alleged in the complaint; 
and 

(B) the Agency or the Federal Trade Com¬ 
mission may intervene as a party in any such 
action brought by the other agency, and, upon 
intervening— 

(i) be heard on all matters arising in 
such enforcement action; and 
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1 (ii) file petitions for appeal in snch ac- 

2 tions. 

3 (3) Agreement terms.—T lie terms of any 

4 agreement negotiated under paragraph (1) may 

5 modify or supersede the provisions of paragraph (2). 

6 (4) Deadline. —The agencies shall reach the 

7 agreement required under paragraph (1) not later 

8 than 6 months after the designated transfer date. 

9 SEC. 406. ENFORCEMENT BY STATES. 

10 (a) Civil Action. —In any case in which the attor- 

11 ney general of a State has reason to believe that an inter- 

12 est of the residents of such State has been or is adversely 

13 affected by any person who violates any provision of this 

14 Act or a rale or order prescribed under this Act, the attor- 

15 ney general of the State, as parens patriae, may bring a 

16 civil action on behalf of the residents of the State in an 

17 appropriate State court or an appropriate district court 

18 of the United States— 

19 (1) to enjoin further violation of such provision 

20 by the defendant; 

21 (2) to compel compliance with such provision; 

22 or 

23 (3) to obtain relief under section 408. 

24 (b) Rights of Agency. —Before initiating a civil ac- 

25 tion under subsection (a), the attorney general of a State 
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1 shall notify the Agency in writing of sncli civil action. 

2 Upon receiving notice with respect to a civil action, the 

3 Agency may— 

4 (1) intervene in sncli action; and 

5 (2) upon intervening— 

6 (A) be heard on all matters arising in such 

7 civil action; and 

8 (B) file petitions for appeal of a decision in 

9 such action. 

10 (c) Preemptive Action by Agency.—I f the Agen- 

11 cy institutes a civil action for violation of any provision 

12 of this Act or a rale or order prescribed under this Act, 

13 no attorney general of a State may bring a civil action 

14 against any defendant named in the complaint of the 

15 Agency for a violation of such provision that is alleged 

16 in such complaint. 

17 SEC. 407. PRIVATE RIGHTS OF ACTION. 

18 (a) Injunctive Relief.— A person who is aggrieved 

19 by a violation of this Act may bring a civil action for de- 

20 claratory or injunctive relief in any court of competent ju- 

21 risdiction in any State or in an appropriate district court. 

22 (b) Curl Action for Damages. —Except for claims 

23 under rule 23 of the Federal Rules of Civil Procedure or 

24 a similar judicial procedure authorizing an action to be 

25 brought by 1 or more representatives, a person who is ag- 
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1 grieved by a violation of this Act may bring a civil action 

2 for damages in any court of competent jurisdiction in any 

3 State or in an appropriate district court. 

4 (c) Nonprofit Collective Representation.— 

5 An individual shall have the right to appoint a nonprofit 

6 body, organization, or association which has been properly 

7 constituted in accordance with the law, has statutory ob- 

8 jectives which are in the public interest, and is active in 

9 the field of the protection of individual rights and free- 

10 doms with regard to the protection of their personal data 

11 to lodge the complaint on his or her behalf, to exercise 

12 the rights referred to in this Act on his or her behalf. 

13 (1) A nonprofit may represent a class of ag- 

14 grieved individuals 

15 (2) A prevailing nonprofit shall receive reason- 

16 able compensation for expenses, including attorneys 

17 fees. 

18 (3) Individuals shall receive an equally divided 

19 share of the total damages. 

20 (d) State Appointment. —A State may provide 

21 that any body, organization or association referred to in 

22 subsection (c), independently of an individual’s appoint- 

23 ment, has the right to lodge, in that State, a complaint 

24 with the Agency and to exercise the rights referred to in 
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this Act if it considers that the rights of an individual 
under this Act have been infringed. 

SEC. 408. RELIEF AVAILABLE. 

(a) Civil Actions and Adjudication Pro¬ 
ceedings.— 

(1) Jurisdiction.— In any civil action or any 
adjudication proceeding brought by the Agency or 
the attorney general of a State, under any provision 
of this Act or a rule or order prescribed under this 
Act, the court or the Agency (as the case may be) 
shall have jurisdiction to grant any appropriate legal 
or equitable relief with respect to a violation of such 
provision. 

(2) Relief. —Relief under this section may in¬ 
clude— 

(A) rescission or reformation of contracts; 

(B) refund of moneys; 

(C) restitution; 

(D) disgorgement or compensation for un¬ 
just enrichment; 

(E) payment of damages or other mone¬ 
tary relief; 

(F) public notification regarding the viola¬ 
tion, including the costs of notification; 
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1 (G) limits on the activities or functions of 

2 the person; and 

3 (H) civil money penalties, as provided in 

4 subsection (c). 

5 (3) No EXEMPLARY OR PUNITIVE DAMAGES.— 

6 Nothing in this subsection shall be construed as au- 

7 tliorizing the imposition of exemplary or punitive 

8 damages. 

9 (b) Recovery of Costs. —In any civil action 

10 brought by the Agency or the attorney general of a State 

11 under any provision of this Act or a rule or order pre- 

12 scribed under this Act, the Agency or attorney general 

13 may recover its costs in connection with prosecuting such 

14 action if the Agency or attorney general is the prevailing 

15 party in the action. 

16 (c) Civil Money Penalty in Court and Adju- 

17 dication Proceedings.— 

18 (1) In general. —-Any person who violates, 

19 through any act or omission, any provision of this 

20 Act or a rule or order prescribed under this Act 

21 shall forfeit and pay a civil penalty under this sub- 

22 section. 

23 (2) Penalty amount.— 
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(A) In general.— Tlie amount of a civil 
penalty under this subsection may not exceed, 
for each violation, the product of— 

(i) the maximum civil penalty for 
which a person, partnership, or corporation 
may be liable under section 5(m)(l)(A) of 
the Federal Trade Commission Act (15 
U.S.C. 45(m)(l)(A)) for a violation of a 
rule under such Act respecting unfair or 
deceptive acts or practices, as adjusted 
under the Federal Civil Penalties Inflation 
Adjustment Act of 1990 (28 U.S.C. 2461 
note); and 

(ii) the number of individuals the per¬ 
sonal information of which is affected by 
the violation. 

(B) Continuing violations.— In the 
case of a violation through continuing failure to 
comply with a provision of this Act or a rule or 
order prescribed under this Act, each day of 
continuance of such failure shall be treated as 
a separate violation for purposes of subpara¬ 
graph (A). 

(3) Mitigating factors.— In determining the 
amount of any penalty assessed under paragraph 


g:\VHLC\102919\102919.121 .xml 
October 29, 2019 (12:16 p.m.) 


(739203128) 



G:\M\16VESHOO\ESHOO_038.XML 


(2), the court or the Agency shall take into account 
the appropriateness of the penalty with respect to— 

(A) the size of financial resources and good 
faith of the person charged; 

(B) the gravity of the violation; 

(C) the severity of the privacy harms (in¬ 
cluding both actual and potential harms) to in¬ 
dividuals; 

(D) any disparate impact of the privacy 
harms (including both actual and potential 
harms) on protected classes; 

(E) the history of previous violations; and 

(F) such other matters as justice may re¬ 


quire. 

(4) Authority to modify or remit pen¬ 
alty. —The Agency or attorney general of a State 
may compromise, modify, or remit any penalty which 
may be assessed or has already been assessed under 
paragraph (2). The amount of such penalty, when fi¬ 
nally determined, shall be exclusive of any sums 
owed by the person to the United States in connec¬ 
tion with the costs of the proceeding, and may be 
deducted from any sums owing by the United States 
to the person charged. 
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1 (5) Notice and hearing.—N o civil penalty 

2 may be assessed under this subsection with respect 

3 to a violation of any provision of this Act or a rale 

4 or order prescribed under this Act, unless— 

5 (A) the Agency or attorney general of a 

6 State gives notice and an opportunity for a 

7 hearing to the person accused of the violation; 

8 or 

9 (B) the appropriate court has ordered such 

10 assessment and entered judgment in favor of 

11 the Agency or attorney general of a State. 

12 SEC. 409. REFERRAL FOR CRIMINAL PROCEEDINGS. 

13 If the Agency obtains evidence that any person, do- 

14 mestic or foreign, has engaged in conduct that may con- 

15 stitute a violation of Federal criminal law, the Agency 

16 shall transmit such evidence to the Attorney General of 

17 the United States, who may institute criminal proceedings 

18 under appropriate law. Nothing in this section affects any 

19 other authority of the Agency to disclose information. 

20 SEC. 410. WHISTLEBLOWER ENFORCEMENT. 

21 (a) In General. —-Any person who becomes aware, 

22 based on non-public information, that a covered entity has 

23 violated this Act may file a civil action for civil penalties, 

24 if prior to filing such action, the person files with the Di- 

25 rector a written request for the Director to commence the 
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1 action. The request shall include a clear and concise state- 

2 ment of the grounds for believing a cause of action exists. 

3 The person shall make the non-public information avail- 

4 able to the Director upon request. 

5 (1) If the Director files suit within 90 days 

6 from receipt of the written request to commence the 

7 action, no other action may be brought unless the 

8 action brought by the Director is dismissed without 

9 prejudice. 

10 (2) If the Director does not file suit within 90 

11 days from receipt of the written request to com- 

12 mence the action, the person requesting the action 

13 may proceed to file a civil action. 

14 (3) The time period within which a civil action 

15 shall be commenced shall be tolled from the date of 

16 receipt by the Director of the written request to ei- 

17 ther the date that the civil action is dismissed with- 

18 out prejudice, or for 150 days, whichever is later, 

19 but only for a civil action brought by the person who 

20 requested the Director to commence the action. 

21 (b) Allocation of Civil Penalties.— If a judg- 

22 ment is entered against the defendant or defendants in 

23 an action brought pursuant to this section, or the matter 

24 is settled, amounts received as civil penalties or pursuant 

25 to a settlement of the action shall be allocated as follows: 
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(1) If the action was brought by the Director 
upon a request made by a person pursuant to (a), 
the person who made the request shall be entitled to 
15 percent of the civil penalties. 

(2) If the action was brought by the person who 
made the request pursuant to (a), that person shall 
receive an amount the court determines is reason¬ 
able for collecting the civil penalties on behalf of the 
government. The amount shall be not less than 25 
percent and not more than 50 percent of the pro¬ 
ceeds of the action and shall be paid out of the pro¬ 
ceeds. 

TITLE V—RELATION TO OTHER 

LAW 

SEC. 501. RELATION TO OTHER FEDERAL LAW. 

Nothing in this Act shall be construed to— 

(1) modify, limit, or supersede the operation of 
any privacy or security provision in— 

(A) section 552a of title 5, United States 
Code (commonly known as the “Privacy Act of 
1974”); 

(B) the Bight to Financial Privacy Act of 
1978 (12 U.S.C. 3401 et seq.); 

(C) the Fair Credit Reporting Act (15 
U.S.C. 1681 et seq.); 
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(D) the Fair Debt Collection Practices Act 
(15 U.S.C. 1692 et seq.); 

(E) the Children’s Online Privacy Protec¬ 
tion Act of 1998 (15 U.S.C. 6501 et seq.); 

(F) title V of the Gramm-Leach-Bliley Act 
(15 U.S.C. 6801 et seq.); 

(G) chapters 119, 123, or 206 of title 18, 
United States Code; 

(H) section 444 of the General Education 
Provisions Act (20 U.S.C. 1232g) (commonly 
referred to as the “Fam il y Educational Rights 
and Privacy Act of 1974”); 

(I) section 445 of the General Education 
Provisions Act (20 U.S.C. 12321i); 

(J) the Privacy Protection Act of 1980 (42 
U.S.C. 2000aa et seq.); 

(K) the regulations promulgated under sec¬ 
tion 264(c) of the Health Insurance Portability 
and Accountability Act of 1996 (42 U.S.C. 
1320d-2 note), as those regulations relate to— 

(i) a person described in section 

1172(a) of the Social Security Act (42 

U.S.C. 1320d-l(a)) ; or 
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(ii) transactions referred to in section 

1173(a)(1) of the Social Security Act (42 

U.S.C. 1320d-2(a)(l)) ; 

(L) the Communications Assist¬ 
ance for Law Enforcement Act (47 
U.S.C. 1001 et seq.); 

(M) sections 222, 227, 338, or 631 of the 
Communications Act of 1934 (47 U.S.C. 222, 
227, 338, or 551); 

(N) the E-Government Act of 2002 (44 
U.S.C. 101 et seq.); 

(O) the Paperwork Reduction Act of 1995 
(44 U.S.C. 3501 et seq.); 

(P) Federal Information Security Manage¬ 
ment Act of 2002 (44 U.S.C. 3541 et seq.); 

(Q) the Currency and Foreign Trans¬ 
actions Reporting Act of 1970, as amended 
(commonly known as the Bank Secrecy Act) 
(12 U.S.C. 1829b and 1951-1959, 31 U.S.C. 
5311-5314 and 5316—5332), including the 
International Money Laundering Abatement 
and Financial Anti-Terrorism Act of 2001, title 
III of Public Law 107-56, as amended; 

(R) the National Security Act of 1947 (50 
U.S.C. 3001 et seq.); 
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(S) the Foreign Intelligence Surveillance 
Act of 1978, as amended (50 U.S.C. 1801 et 
seq.); 

(T) the Civil Rights Act of 1964 (Public 
Law 88-352, 78 Stat. 241); 

(U) the Americans with Disabilities Act 
(42 U.S.C. 12101 et seq.); 

(V) the Fair Housing Act (42 U.S.C. 3601 
et seq.); 

(W) the Dodd-Frank Wall Street Reform 
and Consumer Protection Act (Public Law 
111-203, 124 Stat. 1376-2223); 

(X) the Equal Credit Opportunity Act (15 
U.S.C. 1691 et seq.); 

(Y) the Age Discrimination in Employment 
Act (29 U.S.C. 621 et seq.); 

(Z) the Genetic Information Non¬ 
discrimination Act (Public Law 110-233, 122 
Stat. 881); or 

(AA) any other privacy or security provi¬ 
sion of Federal law; or 

(2) limit the authority of the Federal Commu¬ 
nications Commission to promulgate regulations and 
enforce any privacy law not in contradiction with 
this Act. 
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1 SEC. 502. SEVERABILITY. 

2 If any provision of this Act, or the application there- 

3 of, is held unconstitutional or otherwise invalid, the valid- 

4 ity of the remainder of the Act and the application of such 

5 provision shall not be affected thereby. 
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